[Feature Request] Store Credentials about spgo HOT 4 CLOSED

SPGo 1.3.1 has been released to the VSCode Marketplace, you can now persist credentials by setting the following property: "storeCredentials" : true in spgo.json.

@koltyakov - CPass was easy to integrate, thanks!

from spgo.

Hi @sg-chrishasz,

We use cpass a lot within generator-app, node-sp-auth-config, and some other related projects.
The reasons behind cpass initial creation were:

• Exclude situations with clear text secrets showing up (while presenting code and occasional misconfiguration of .gitignore/.npmignore)
• Make it simple and cross-platform (without OS-specific overheads)
• Provide a security over obscurity using unique "machine id" based encoding

I can't see any drawbacks really. Yet, the creds prompt system should be aware of some nuances. I.e. if a hashed string is happened to be decoded on the other machine than where it was encoded, it ends up with the same hashed string (it just can't be encoded anywhere else original machine); wherefore creds prompt system should understand that it does not own the secret and asks for it to be entered by a user. Otherwise, lots of issues can appear from the folks who are used to deal with sources stored in cloud file storages (Google Drive, OneDrive, etc.) and getting 401 error.

In the generator, for example, all the private files are ignored by git and never belong to commits. So it the same project is cloned and different machines there are different versions of private files and there are no situations when wrong creds are used, at least such situations are rarely met.

I personally would be happy if SPGo uses cpass!

from spgo.

@koltyakov that sounds good. Thank you for confirming cpass functionality!

I'll plan to write the hashed user data to local temp, and not the user's roaming profile to prevent the machine<->machine issues, and gracefully fall back to deleting and recapturing a user's credentials should authentication fail.

from spgo.

Hello @forket

I have thought about implementing this feature in the past, but I have not found a solution I am happy with from a usability and, most importantly, a security standpoint. There are a couple different positions to consider:

1. How to provide this in a cross-platform way. OSX uses the Keychain, Windows uses identity manager, etc. The VSTS plugin ships with a windows .exe to manage windows identity, and that seems like a heavy solution.
2. I don't want to have passwords in clear-text in the config file, as that can be checked in to git or similar.

At one point, VSCode had an experimental api for managing credentials, but I do not think it was ever fully productized.

One option I could think of is using something like cpass to hash your usename and password to a text file in temp storage (/tmp OSX+Linux, /ApplicationData in Windows). I could then expose a property in the SPGo.json file like this: {"storeCredentials" : true} and use it as a flag to check for the hash.

What do you think of this solution?

@koltyakov do you see any drawbacks in this approach or the use of cpass?

from spgo.