Security: Remote sync API keys are stored and returned in plaintext settings #141
Description
Title: Remote sync API keys are stored and returned in plaintext settings
Type: security
Severity: high
Area: settings / remote sync / secret storage
Description:
Remote sync API keys are currently persisted in data/settings.json and returned from GET /api/settings in plaintext. That makes the secret readable on disk and exposes it to any authenticated UI consumer or local process that can read the settings file. This is materially weaker than the encrypted Google Drive token handling and creates an inconsistent security posture.
Evidence:
/Users/techmore/projects/NmapUI/nmapui/settings.pystoressync.remote_sync.api_keydirectly in the normalized settings document/Users/techmore/projects/NmapUI/nmapui/handlers/settings.pyreturns the full normalized settings document fromGET /api/settings/Users/techmore/projects/NmapUI/nmapui/paths.pypoints settings persistence at/Users/techmore/projects/NmapUI/data/settings.json/Users/techmore/projects/NmapUI/tests/test_auth_routes.pycurrently asserts the plaintextapi_keyis returned in the API payload
Proposed Fix:
Move remote sync secrets into dedicated secret storage with the same standard as Google Drive tokens: encrypted at rest, owner-only file permissions, and API responses that expose only api_key_configured / connection status, not the secret value.
Implementation Notes:
- Split secret fields from general settings JSON
- Add a small secret-storage abstraction so sync providers use one mechanism
- Redact secret fields from all settings API responses and browser state
- Add migration logic for existing plaintext settings files
Related Issues: