Store GitHub API tokens more securely

Question

Store GitHub API tokens more securely

Closed this issue a year ago · 5 comments

I noticed that the API tokens are stored in plaintext in user defaults. It'd be nice if they were encrypted on disk, perhaps using Keychain Services?

Answer 1 · 2014-10-31T19:04:10.000Z

Actually, since updating to 1.1.0 I don't see the token anymore when running $ defaults read com.housetrip.Trailer, so maybe this has been resolved. How are tokens stored now?

Answer 2 · 2014-11-01T11:55:08.000Z

Hi @mkantor, yes, tokens are now stored in the server settings, in the database.

1.1.0 and up will auto-migrate your existing token and API settings from defaults and create an entry for a server based on them, removing the settings in the process.

However, they the settings the DB are still clear-text and easily readable by anyone with access to the SQLite store in ~/Library/Application Support/com.housetrip.Trailer

I like your suggestion about possibly using Keychain for auth tokens, and will investigate this more, but I'm worried about reducing the simplicity of handling tokens, which currently makes Trailer very easy and simple to set up initially. But I will check it out first, because it's an API I'm not well aquatinted with, and check back with you.

(And then of course there is the slippery slope of wondering about expanding auth for servers, things like full OAuth instead of the simple API tokens currently used, etc :))

Answer 3 · 2014-11-01T18:17:31.000Z

Sounds good. If you do decide to go this route, UICKeyChainStore may come in handy.

Answer 4 · 2015-02-08T15:00:00.000Z

That's good advice, I've had a chance to use this recently and it's awesome how simple it makes everything 👍 However one part of building Trailer for me is to try and keep it clear of any pods, mostly to nudge me to investigate more aspects of Cocoa's API rather than simply relying on (the excellent and well tested functionality of) external pods.

Still thinking about this issue, and I still agree it's a good idea to keep the token better hidden, so stay tuned :)

Answer 5 · 2023-08-19T14:17:28.000Z

Please follow the link to the issue above (#470) which contains a test build with this feature enabled. Will close this (erm... 9 year old 🤦) issue now. You're welcome! <64 ton weight, splat>