obsidian-github-embeds icon indicating copy to clipboard operation
obsidian-github-embeds copied to clipboard
verified publisher icon MrGVSV

Token Stored in Plaintext

Open dgrebb opened this issue 2 years ago • 11 comments

Thanks for a great plugin! A note on GitHub access tokens, they are currently stored in plaintext in Vault. For anyone syncing with GitHub, iCloud, Dropbox, OneCloud, etc. this is something to be very aware of.

File: .obsidian/plugins/github-embeds/data.json

{
  "githubToken": "gho_[REDACTED]",
  "embedIssues": true,
  "embedFiles": true,
  "labelDisplay": "preview",
  "autoOpenThreshold": 10,
  "dateFormat": "YY.MM.DD",
  "showTotalComments": true
}

dgrebb avatar Dec 24 '23 20:12 dgrebb

Thanks for pointing this out! I'll probably merge #19 for now and then look into other methods of handling this properly (or as best I can within the confines of the Obsidian plugin environment lol).

MrGVSV avatar Dec 25 '23 03:12 MrGVSV

@MrGVSV you're welcome! Thank you again for the plugin. I think crypto is the easiest. This looks promising as potential route.

You could also just come right out and say "DO NOT use your elevated permissions access token - make a new, read-only PAT" or something.

Happy holidays!

dgrebb avatar Dec 25 '23 06:12 dgrebb

I think crypto is the easiest. This looks promising as potential route.

Yeah this could work. Of course, it would only be a bandaid until Obsidian exposes some way for a plugin to safely store user secrets (i.e. we need to store the encryption key somewhere so a malicious plugin could still find and decrypt the token).

I'll still look into adding it, but I really wish there was a better way of achieving this. 🤔

MrGVSV avatar Dec 25 '23 07:12 MrGVSV

It's definitely not straightforward, but may be another good example.

I'll also do some digging on this.

dgrebb avatar Dec 25 '23 07:12 dgrebb

It's definite not straightforward, but may be another good example.

Yeah this works but I'm not sure about asking the user to input an encryption key every time they open the app. We could maybe make that an option for users who do need that kind of security but it's not an ideal UX imo.

MrGVSV avatar Dec 25 '23 19:12 MrGVSV

Reopening as I would like a proper solution for this in the future (even if we do need to wait for Obsidian to provide an API for it).

MrGVSV avatar Dec 25 '23 19:12 MrGVSV

@MrGVSV I started doing some research into this. How do you feel about storing a random-string encryption key in a user's home directory?

This would be used to store the key by which PATs are encrypted and decrypted to/from .obsidian/plugins/github-embeds/data.json.

Spitballing before committing to anything.

dgrebb avatar Jan 10 '24 01:01 dgrebb

How do you feel about storing a random-string encryption key in a user's home directory?

Would this solution be cross-platform? I believe the NodeJS API is desktop-only.

MrGVSV avatar Jan 10 '24 02:01 MrGVSV

Interesting! Thanks for this, @MrGVSV. Back to the drawing board — I'll dig into the Obsidian docs.

dgrebb avatar Jan 10 '24 02:01 dgrebb

@MrGVSV the complexity and overhead of cross-platform encryption with node are daunting.

I propose:

  1. Refactor Settings actions to read/store GH token to/from separate config file
  2. Refactor DisclaimerSection to mention "Add this file to .gitignore if syncing with remote repo..."

I'd be happy to make these changes and submit an RFC/PR. Let me know what you think!

dgrebb avatar Jan 20 '24 23:01 dgrebb

@dgrebb That works for me as long as we can make it work cross-platform! 😄

MrGVSV avatar Jan 21 '24 01:01 MrGVSV