Insecure across multiple node instances? about node-keytar HOT 2 OPEN

If this is true, how do I properly secure user credentials so only my app can access them?

Unfortunately I am not sure there is a particularly satisfactory answer to this question. But from what I can figure you need to:

1. Distribute your app with its own node binary.
2. Lock that node binary down so it only executes your app’s scripts.
3. Ensure the trusted application in the ACL for the Keychain items encompasses your node binary and your app‘s scripts and deps.

My understanding is that keytar was mainly developed for Electron applications, so when used in an Electron context it is getting all three of those by default (though I wonder about 2).

Unfortunately, I suspect CLI apps on macOS cannot be application bundles, so 3 is only possible with keytar if you somehow include all your application and scripts inside the executable binary itself. If you forego keytar, and instead call Keychain Services directly, it might be possible to specify a path for the trusted application that minimally encompasses your node binary an application scripts.

Anyway, as you’ve found keytar is definitely not ideal for CLI apps, especially those distributed via npm. But I’m not sure if there is a better alternative, either. In any case, I agree that it would be a good idea to ensure this trade-off for CLI apps is documented.

from node-keytar.

@glebec i have a similar requirement as yours and i have been searching for ways to store users credentials in keychain. Now, that you have pointed out such a major flaw, i am not sure i should use keytar at all. It would be really helpful if anyone could explain how it can possibly be done using hasing, salting or anything else like that.

from node-keytar.