zazu icon indicating copy to clipboard operation
zazu copied to clipboard

Published 20 hours ago verified publisher icon bayleeadamoss

Encryption

Open bayleedev opened this issue 8 years ago • 2 comments

Storing an api key in your zazurc.js file means it can't be backed up to github or other public type places. There should be a way to easily add encrypted data to this file. Possibly related to the package manager #32

bayleedev avatar Jul 29 '16 02:07 bayleedev

Related links: https://github.com/henryboldi/felony https://github.com/keybase/triplesec

bayleedev avatar Jul 29 '16 02:07 bayleedev

After some talk this is what the current idea would look like:

When installing a plugin, currently it is assumed no variables need to be set. The zazu-package-manager can be modified to check which variables need to be set. Zazu can then prompt the user for inputs. For example:

diff --git a/zazu.json b/zazu.json
index 6d190ad..b5d212d 100644
--- a/zazu.json
+++ b/zazu.json
@@ -1,6 +1,9 @@
 {
   "name": "Gist",
   "icon": "icon.png",
+  "variables": {
+    "token": "string.secure"
+  },
   "blocks": {
     "input": [
       {

We can also allow the user to specify an "encryption driver", which would default to one we create like tinytacoteam/zazu-encryption-aes or something. This will expose an encrypt/decrypt method.

When Zazu loads it'll search the plugin config for "secure" keys and overwrite them in memory. For example:

    {
      "name": "afaur/zazu-gist",
      "variables": {
        "token": {
          "secure": "7f46165474d11ee5836777d85df2cdab"
        }
      }
    }

Would replace token.secure to just be token and pass the real value into the plugin to use.

So the workflow would look like this:

  • Open Zazu
  • Type in install gist
  • The package manager prompts and asks for your api token
  • The package manager tries to encrypt it with the pluginContext.encrypt
  • Zazu does not have the password in memory
  • Zazu prompts the user for a password
  • Zazu asks the encryption driver to encrypt the data and returns it to the package manager
  • The package manager saved the new ~/.zazurc.json file and reloads zazu

When you open up Zazu with the new config:

  • Zazu sees a secure variable and tries to decrypt it
  • Zazu prompts you for a password since it is not in memory
  • Zazu passes it to the plugin when it's neeeded.

Assumptions

We assume the driver will ALWAYS need a password. What if you never wanted to share this file, but you wanted it to be secure. There could just be a driver that uses some randomly generated file as your password. The ~/.zazurc.json can't be shared but you could encrypt/decrypt on the same computer.

cc @tinytacoteam/zazu-core

bayleedev avatar Feb 12 '17 22:02 bayleedev