Insecure across multiple node instances?

[glebec]

I'm trying to understand precisely what the use case for keytar, specifically on OS X. For perspective I am writing a CLI and I want to store user credentials so they don't need to be entered every time the CLI is used.

As I understand it, keytar stores credentials in the OS X keychain. Keychain automatically allows "the service which created the entry" to access or change the password. Testing this, however, it seems Keychain simply registers node as the service — meaning that any node process can arbitrarily look up any passwords set by keytar, with no confirmation by the user.

If this is true, how do I properly secure user credentials so only my app can access them? While I personally doubt any users are running malicious node apps which trawl Keychain for passwords, doubt is not the basis of a truly secure app. Right now I am thinking of doing some kind of unique salting / hashing / encrypting so it simply doesn't matter if any other app accesses those tokens from Keychain, but that brings its own concerns which I was hoping Keychain would take care of.

---

Follow-up: hmm, it seems that multiple separate node apps I make can access "each others'" passwords without any confirmation from the user, yet 3rd-party libraries using keytar it asks the user for confirmation. I'm still researching this to figure out when and why keytar is given free access or not, but in any case I think this would be good to have in the documentation.

[limulus]

If this is true, how do I properly secure user credentials so only my app can access them?

Unfortunately I am not sure there is a particularly satisfactory answer to this question. But from what I can figure you need to:

1. Distribute your app with its own node binary.
2. Lock that node binary down so it only executes your app’s scripts.
3. Ensure the trusted application in the ACL for the Keychain items encompasses your node binary and your app‘s scripts and deps.

My understanding is that keytar was mainly developed for Electron applications, so when used in an Electron context it is getting all three of those by default (though I wonder about 2).

Unfortunately, I suspect CLI apps on macOS cannot be application bundles, so 3 is only possible with keytar if you somehow include all your application and scripts inside the executable binary itself. If you forego keytar, and instead call Keychain Services directly, it might be possible to specify a path for the trusted application that minimally encompasses your node binary an application scripts.

Anyway, as you’ve found keytar is definitely not ideal for CLI apps, especially those distributed via npm. But I’m not sure if there is a better alternative, either. In any case, I agree that it would be a good idea to ensure this trade-off for CLI apps is documented.

[pg07codes]

@glebec i have a similar requirement as yours and i have been searching for ways to store users credentials in keychain. Now, that you have pointed out such a major flaw, i am not sure i should use keytar at all. It would be really helpful if anyone could explain how it can possibly be done using hasing, salting or anything else like that.