Comments (2)
If this is true, how do I properly secure user credentials so only my app can access them?
Unfortunately I am not sure there is a particularly satisfactory answer to this question. But from what I can figure you need to:
- Distribute your app with its own
node
binary. - Lock that
node
binary down so it only executes your app’s scripts. - Ensure the trusted application in the ACL for the Keychain items encompasses your
node
binary and your app‘s scripts and deps.
My understanding is that keytar
was mainly developed for Electron applications, so when used in an Electron context it is getting all three of those by default (though I wonder about 2
).
Unfortunately, I suspect CLI apps on macOS cannot be application bundles, so 3
is only possible with keytar
if you somehow include all your application and scripts inside the executable binary itself. If you forego keytar
, and instead call Keychain Services directly, it might be possible to specify a path for the trusted application that minimally encompasses your node
binary an application scripts.
Anyway, as you’ve found keytar
is definitely not ideal for CLI apps, especially those distributed via npm. But I’m not sure if there is a better alternative, either. In any case, I agree that it would be a good idea to ensure this trade-off for CLI apps is documented.
from node-keytar.
@glebec i have a similar requirement as yours and i have been searching for ways to store users credentials in keychain. Now, that you have pointed out such a major flaw, i am not sure i should use keytar at all. It would be really helpful if anyone could explain how it can possibly be done using hasing, salting or anything else like that.
from node-keytar.
Related Issues (20)
- Prebuild problem on Windows HOT 1
- Not being able to install on Windows. v8.h missing
- electron-rebuild fails after updating keytar to 7.7.0
- WSL Support
- Upgrade dependencies' major versions HOT 7
- https://www.instagram.com/p/CaAP2_VsEFp/?utm_medium=copy_linkc
- [win] handle different value for cred.Persist = CRED_PERSIST_ENTERPRISE;
- [Windows] Old credential comes back after current one is deleted HOT 3
- Keytar installation fails on Alpine Linux (Docker image) HOT 1
- Switch to prebuildify & node-gyp-build HOT 2
- Proposal: Support buffers for binary keychain data
- Not attempting prebuilt install
- setPassword error
- Add a new setPasswordDescription method
- Opt out from having the service name implicitly be concatenated with the account name on windows.
- Setting a password throws strange Error: �ڴ���Դ���㣬�����������” HOT 2
- `FindCredentials` call on Linux without unlocking the key store crashes
- Fails to install on Windows ARM
- Node
- Farewell, my dear Keytar
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from node-keytar.