secret API keys are written in plaintext to the init file

[parsoj]

Hi! I really appreciate that you guys put this plugin together!

However - could I ask you to please not use customize-save-customized to store your users' api keys? https://github.com/wakatime/wakatime-mode/blob/master/wakatime-mode.el#L109-L116

That function stores the customize variables by writing them in plain-text to the user's init.el file

Many emacs users like to keep their configs in revision control - and also like to share their configs with other emacs users (my configs are in a public git repo)

I just caught that my private wakatime API key was actually being published as public information because it was in my init.el file!

I'll come up with a work-around for now - but please keep in mind that you are potentially setting people up to make their private API key public information (because they may not catch that you wrote it to their init.el) Thanks!

[alanhamlett]

Duplicate of #18, which it seems shouldn't have been closed back then.

[alanhamlett]

https://github.com/wakatime/wakatime/commit/4c3d80873d779821f8abe7c50a521e6f18ec77e7 adds support for reading/writing api key to ~/.wakatime.cfg with the wakatime command line program, for ex:

wakatime --config-read api_key or wakatime --config-write api_key 1234

Now we just need to update wakatime-mode to execute the wakatime cli when reading and saving the api key instead of writing to init.el.

[pakelley]

Looks like the README says you can use wakatime.cfg now, but if this is still an issue: as a work around, you can add your key to ~/.authinfo.gpg, then load from there in your config. The authinfo entry could look something like:

machine wakatime.com password <WAKATIME_API_KEY>

Then in your config:

(setq wakatime-api-key (auth-source-pick-first-password :host "wakatime.com"))