clockify-cli icon indicating copy to clipboard operation
clockify-cli copied to clipboard

Published 20 hours ago verified publisher icon lucassabreu

Better secret management for tokens and ids

Open Hypercookie opened this issue 10 months ago • 2 comments
trafficstars

The clockify-cli uses an underlying YAML file located at ~/.clockify-cli.yaml to manage settings. This file also includes the userid, workspaceid, and token in plain text, which may not be desirable for all users.

While it is possible to set the token (and other IDs) via the command line, this approach is also insecure as it exposes the sensitive data in the command history. To address this, there are two secure alternatives that could be implemented:

  • Credential Process Support Similar to the AWS config file, a credential_process parameter could be introduced, allowing users to specify a command responsible for securely returning the credential. For example, a user could configure credential_process: pass show clockify, enabling the pass utility to handle security and encryption. This parameter would be optional in the YAML file and, if present, would take precedence over any token supplied manually. This approach is more flexible, secure, and versatile, but it might be more challenging to implement.

  • YAML !include Support Allow the YAML syntax to support !include, enabling users to reference another YAML file containing sensitive data. This secondary YAML file could be stored in a more secure location, such as a removable device, providing better protection for sensitive information.

While the first option offers greater security and flexibility, it is more complex to implement. Nevertheless, either approach would significantly enhance security for users.

I love this project and use it all the time, so I’d be thrilled to see these features implemented. While I’m not experienced in Go programming, I’ll take a look at the code to see if I can contribute in some way.

Hypercookie avatar Jan 23 '25 11:01 Hypercookie

hi @Hypercookie , i think we might try to use the OS keyring to protect the token and ids, there is some go libs that might helps us in that.

lucassabreu avatar Jan 23 '25 12:01 lucassabreu

Sounds good to me.

I would still advocate for also using the first option. Using the OS keyring will prevent declarative configurations like NixOS from working (which is what I use and also the reason I opened this ticket).

Thanks you for taking time to answer :)

Hypercookie avatar Jan 23 '25 20:01 Hypercookie