System/user and persistent data between Rebol sessions

[Oldes]

By default the Rebol session has no user defined. In many cases it is useful to have per-user persistent data, which may be used by various scripts. Instead of keeping various secrets like access tokens or passwords in plain file, one may use built in safe scheme. The easiest way is to setup an user:

set-user/n guest
;; the `guest` is the name of the user
;; the refinement `/n` means, that a new user will be created, if not exists yet

If the user with such a name does not exists yet, you will be asked for a password which will be used to encrypt the persistent data file (stored in the system/options/home directory).

When the user is initialised, one may store any value in the created .safe file. For example to store an user's email:

put system/user/data 'email guest@example.com

Such a value may be accessed using:

select system/user/data 'email

Or using included helper function user's.

Values are not automatically saved.. one must use update action on the data port, or logout the user setting it to none.

Once logged in again, the value is again available:

The persistent data file may be used to store complex settings, like this config code in my Google API module

[Oldes]

It should be noted, that the persistent data file is encrypted, but one may use load function (and the safe codec) to get decrypted data (after using the password again).

[acook]

There's two standard approaches to this:

1. The OS layer where information is stored in $HOME or %APPDATA% and may be encrypted and/or permission restricted by the OS
2. A database where relationships can be mapped onto a user, where the whole or part of the data can encrypted or permission restricted by the DB or application layer

I wonder if it might be more secure to build this into a database or OS settings adapter instead of bespoke?

Or alternatively as a generic encrypted configuration format instead of something tied to the concept of a "user"?

[Oldes]

Years ago in Rebol2 times one used the user.r file to setup user's name, email configuration and so one... I prefer above mentioned approach, but if one does not want to use it, it is still possible to have in user.reb file just plain code like:

system/user/name: "foo"
system/user/data: #(email: some@example.com whatever: "....")

Where system/user/data does not have to be a map! or safe port to encrypted file, but it could be also connection to a database, like:

system/user/data: open sqlite://path-to.db

Although with the DB one would need some modified scheme, which would not require SQL queries.

I don't want to be limited to the system user as in many cases I want to be able change user contexts. I can do in console:

su oldes  ;; `su` is an alias to `set-user`
run-some-script
su guest
run-other-or-even-the-same-script-using-other-credentials

I just wanted to write some notes about this feature somewhere, because some modules (like the mentioned Google API, or pop3 scheme) uses it.

[Oldes]

It should be also noted, that although the used .safe file is encrypted, one should secure access to it using system permissions or for example Github secrets (like I do in the Google module CI test), because the password may be cracked using brute force easily.