Move GitHub access tokens from plaintext SQLite to OS keychain#15
Open
Move GitHub access tokens from plaintext SQLite to OS keychain#15
Conversation
…S keychain The auth flow previously stored GitHub OAuth access tokens in plaintext in the local SQLite database. Anyone with file-system read access to the app's data directory could extract the token, which has full `repo read:user user:email` scopes — granting write access to all of the user's GitHub repositories. This moves token storage to the OS-level credential store (macOS Keychain, Windows Credential Manager, Linux Secret Service) via the `keyring` crate, which is the most secure option for a desktop app. - Add `keyring` v3 crate with native backend features - Add three Tauri commands: keychain_set_token, keychain_get_token, keychain_delete_token in src-tauri/src/auth.rs - Register new commands in src-tauri/src/lib.rs - Update src/core/db/auth.ts getAuth() to auto-migrate existing plaintext tokens to the keychain on first read, then clear the SQLite column - Update saveAuth() to store token in keychain, write empty string to SQLite column - Update clearAuth() to delete the keychain entry alongside the SQLite row Existing consumers (metrics.ts, useFeedback.ts) require no changes since they call getAuth() which now transparently reads from the keychain. SUSTN-Task: d4696627-28bc-40fd-a721-2804dee0f24a
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
SUSTN Auto-PR
The auth flow stores GitHub OAuth access tokens in plaintext in the local SQLite database (
authtable insrc/core/db/auth.ts). Anyone or any process with file-system read access to the app's data directory can extract a user's GitHub token with fullrepo read:user user:emailscopes.The
keyringcrate is not currently in Cargo.toml but Tauri'stauri-plugin-storeis already available. However, the most secure approach is to use the OS-level credential store (macOS Keychain). Since this is a single-user desktop app, the migration is straightforward:keyringcrate (already identified as a dependency option in project memory) or usesecurityCLI on macOS.authtable — if so, migrate it to the keychain and delete the SQLite row'saccess_tokencolumn value.src/core/db/auth.tsgetAuth()/saveAuth()to call the Rust command instead of storing the token in SQL.src/core/services/metrics.tsand any other consumers that read the token viagetAuth().This is the single highest-impact security fix. The token grants write access to all of the user's GitHub repositories (the
reposcope), making it an extremely valuable target. Even local-only SQLite files can be exfiltrated by malware or accidentally committed/synced.Files:
src/core/db/auth.ts,src-tauri/src/auth.rs,src-tauri/Cargo.toml,server/src/routes/auth.ts(callback sends token via deep link — consider if that's safe too).Branch:
sustn/move-github-access-tokens-from-plaintext-sqlite-to-os-keycha