Skip to content
This repository has been archived by the owner on Oct 26, 2019. It is now read-only.

Encryption #37

Open
bayleedev opened this issue Jul 29, 2016 · 2 comments
Open

Encryption #37

bayleedev opened this issue Jul 29, 2016 · 2 comments
Labels
feature

Comments

@bayleedev
Copy link
Member

Storing an api key in your zazurc.js file means it can't be backed up to github or other public type places. There should be a way to easily add encrypted data to this file. Possibly related to the package manager #32
@bayleedev bayleedev added this to the v0.2.0 milestone Jul 29, 2016
@bayleedev
Copy link
Member Author

Related links:
https://github.com/henryboldi/felony
https://github.com/keybase/triplesec

@bayleedev bayleedev removed this from the v0.2.0 milestone Oct 5, 2016
@bayleedev
Copy link
Member Author

After some talk this is what the current idea would look like:

When installing a plugin, currently it is assumed no variables need to be set. The zazu-package-manager can be modified to check which variables need to be set. Zazu can then prompt the user for inputs. For example:

diff --git a/zazu.json b/zazu.json
index 6d190ad..b5d212d 100644
--- a/zazu.json
+++ b/zazu.json
@@ -1,6 +1,9 @@
 {
   "name": "Gist",
   "icon": "icon.png",
+  "variables": {
+    "token": "string.secure"
+  },
   "blocks": {
     "input": [
       {

We can also allow the user to specify an "encryption driver", which would default to one we create like tinytacoteam/zazu-encryption-aes or something. This will expose an encrypt/decrypt method.

When Zazu loads it'll search the plugin config for "secure" keys and overwrite them in memory. For example:

    {
      "name": "afaur/zazu-gist",
      "variables": {
        "token": {
          "secure": "7f46165474d11ee5836777d85df2cdab"
        }
      }
    }

Would replace token.secure to just be token and pass the real value into the plugin to use.

So the workflow would look like this:

  • Open Zazu
  • Type in install gist
  • The package manager prompts and asks for your api token
  • The package manager tries to encrypt it with the pluginContext.encrypt
  • Zazu does not have the password in memory
  • Zazu prompts the user for a password
  • Zazu asks the encryption driver to encrypt the data and returns it to the package manager
  • The package manager saved the new ~/.zazurc.json file and reloads zazu

When you open up Zazu with the new config:

  • Zazu sees a secure variable and tries to decrypt it
  • Zazu prompts you for a password since it is not in memory
  • Zazu passes it to the plugin when it's neeeded.

Assumptions

We assume the driver will ALWAYS need a password. What if you never wanted to share this file, but you wanted it to be secure. There could just be a driver that uses some randomly generated file as your password. The ~/.zazurc.json can't be shared but you could encrypt/decrypt on the same computer.

cc @tinytacoteam/zazu-core

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bayleedev