Feature Request: Remove password from environment

[lonevvolf]

Describe the ultimate goal you want to achieve

Currently, having to store the password in the environment is a bit unsecure. In order to make this work, I have to setup the variables for the Docker container outside of the container itself, so they are clearly visible on that level (in my case, in Synology Container Manager). It would be great to have a flow where when no password is submitted, it can be filled in at the command line at first startup and cached in a secure way in the container storage.

How do you think the feature should be implemented

On first setup, it should be possible to send the password via command line to the container, and it would be encrypted and cached. icloudpd works in a similar way.

Checklist

• This is a feature request, not an issue or a question
• Checked out existing feature requests

[steilerDev]

This makes sense - however I don't mind having those credentials visible on the container level (because the account is MFA secured - and the MFA trust token is location bound - meaning that even if password and token are stolen, the attacker needs to have an IP that is close to mine)

Nevertheless I understand the security implications and are already implementing the following (because it is quite simple): The CLI can be started with an empty password - if this is the case, it will prompt the user to enter it through the CLI. This password will be held in memory until the application exits.

[github-actions]

This issue should be resolved with version v1.2.1-beta.1, please confirm.

[lonevvolf]

How does this work in combination with daemon mode?

[steilerDev]

The password is requested when starting the daemon mode and kept in memory for all runs until the process is stopped.

[steilerDev]

Have a look at the documentation:

icloud-photos-sync/docs/src/get-started.md

Line 59 in 3ac703f

If you don't want to store your plain text password in the environment, it is possible to omit the `APPLE_ID_PWD` option, which will lead to the application awaiting the password from the command line upon start. To input the password into the running Docker container [it needs to be started with `tty: true` and `stdin_open: true`](https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir) / `docker run -itd` for [detached mode](https://docs.docker.com/engine/reference/run/#detached--d) with [tty and stdin open](https://docs.docker.com/engine/reference/run/#foreground). Once the container was started, you can attach to the running `icloud-photos-sync` process using [`docker attach photos-sync`](https://docs.docker.com/engine/reference/commandline/attach/)

[steilerDev]

1.3.0-beta.1 improves on the machanism.

[github-actions]

This issue was resolved with version v1.3.0.