-
Notifications
You must be signed in to change notification settings - Fork 193
Insecure across multiple node instances? #50
Comments
Unfortunately I am not sure there is a particularly satisfactory answer to this question. But from what I can figure you need to:
My understanding is that Unfortunately, I suspect CLI apps on macOS cannot be application bundles, so Anyway, as you’ve found |
@glebec i have a similar requirement as yours and i have been searching for ways to store users credentials in keychain. Now, that you have pointed out such a major flaw, i am not sure i should use keytar at all. It would be really helpful if anyone could explain how it can possibly be done using hasing, salting or anything else like that. |
I'm trying to understand precisely what the use case for
keytar
, specifically on OS X. For perspective I am writing a CLI and I want to store user credentials so they don't need to be entered every time the CLI is used.As I understand it,
keytar
stores credentials in the OS X keychain. Keychain automatically allows "the service which created the entry" to access or change the password. Testing this, however, it seems Keychain simply registersnode
as the service — meaning that any node process can arbitrarily look up any passwords set bykeytar
, with no confirmation by the user.If this is true, how do I properly secure user credentials so only my app can access them? While I personally doubt any users are running malicious node apps which trawl Keychain for passwords, doubt is not the basis of a truly secure app. Right now I am thinking of doing some kind of unique salting / hashing / encrypting so it simply doesn't matter if any other app accesses those tokens from Keychain, but that brings its own concerns which I was hoping Keychain would take care of.
Follow-up: hmm, it seems that multiple separate node apps I make can access "each others'" passwords without any confirmation from the user, yet 3rd-party libraries using
keytar
it asks the user for confirmation. I'm still researching this to figure out when and whykeytar
is given free access or not, but in any case I think this would be good to have in the documentation.The text was updated successfully, but these errors were encountered: