alfred-workflow-gauth Implemented Apple Keychain support (with migration procedure)

Implemented Apple Keychain support (with migration procedure)

Open aik099 opened this issue 8 months ago • 1 comments

[management] store secrets in a separate easily lockable alfred-gauth keychain (not the login keychain)
[security] using security command to manage keychain, which results in the following behavior:
- a user is asked for a password at keychain creation/unlock time
- the Alfred itself isn't aware of the that password
[performance] using security dump-keychain command to get all accounts with their passwords in a plain text format
an internal method for removing accounts (could be connected to UI later)
an internal method for generating a QRCode from an account (could be connected to UI later), that could be scanned in the Google Authenticator app

removed dead code for key/hexkey handling in the "~/.gauth" file (otp.get_hotp_key, AlfredGAuth. config_get_account_token ), because gauth add command only populates the secret key
replaced '... {} ...'.format(...) notation with f'... {...} ...' notation
changed the visibility of methods that were used as protected but declared as public
simplified workflow configuration:
- used Junction workflow element to join copy-to-clipboard and show notification actions together (previously an action was used that printed out what was given to it)
integrated:
- #45
- #46
- #48
- #49
- #50

when attempting to add a first account (the config file is empty) using gauth add account,secret, then you're seeing GAuth is not yet configured script filter XML entry in the notification prior to an A new account was added... text
when a config file was empty in used used gauth command, then he was seeing GAuth is not yet configured entry (correct), but the workflow also created a 2nd Account not found entry, which Alfred didn't show, because of invalid XML (e.g. <items>...entry for missing config...</items><items>...entry for account not found...</items>)

added these extra flows:
- if a keychain is missing, then a user is informed about that and asked to create one
- if a keychain exists but it is locked, then a user is informed about that and asked to unlock it
- if an unlocked empty keychain exists and there is a non-empty ~/.gauth file, then the user is informed about that and asked to migrate the data
the notification title about an added/non-added account is now dynamic (e.g. Account creation succeeded and Account creation failed) instead of static Google Authenticator

backup:
- your existing workflow
- your ~/.gauth file
install the workflow from this PR ( https://github.com/moul/alfred-workflow-gauth/raw/0f01cfd654d6572e3f1d83b7e9df3a93283dee66/Google%20Authenticator.alfredworkflow )

open the Alfred Search Bar
type gauth (keyword to activate this workflow)
follow the instructions for Apple Keychain creation/unlocking
if you're using workflow from this PR for the first time, then follow the instructions for Apple Keychain data migration
if you had a non-empty ~/.gauth file, then:
- confirm that ~/.gauth file was deleted
- all accounts from the ~/.gauth file are shown in the workflow