Use a passphrase to encrypt user's minting config
Closed this issue · 3 comments
I recently implemented a simple auth system in PHP, I wonder if we should adopt the usual db auth strategy for the tool to make it a bit safer and less sketchy to anyone who is concernd about giving their private key. Even though we don't put it anywhere but the local file, it's still plaintext.
My proposal:
In React:
- ask the user for a passphrase in the minting config setup alongside the private key.
- use bcrypt to encode the private key using the passphrase
- store the bcrypt output in json
In Python:
- ask the user to enter their passphrase whenever the minting or transfer commands are triggered
- decode the bcrypt from json to get private key
- if any issues with establishing authentication, let the user know they may have entered their passphrase wrong
If a user ever forgets their password, then it's easy to re-run the mint config again. I think this will do A LOT for security conscious folks, and for those that are not we can at least make sure that in the event of accidentally sharing that file or getting compromised, we did not keep their pk in plaintext.
We may want to reach out to glitchyg specifically if/when we implement to make sure he is aware for his automated system.
Definitely a great idea
I would be reticent to add another passphrase for the user, but you make a good point that the passphrase reset is pretty straightforward.
At a cursory glance there are a few python libraries that implement JWE or JWT. I believe glitchyg is using JWT
JWT looks pretty cool since its JSON in, JSON out - just provide the secret
I'd rather use it vs using bare bcrypt
We can automate the decrypting by passing the passphrase as a command line argument, or a .env variable for advanced users
