feat: add secure credential storage with OS keychain backends#97
Draft
felipefreitag wants to merge 11 commits intomainfrom
Draft
feat: add secure credential storage with OS keychain backends#97felipefreitag wants to merge 11 commits intomainfrom
felipefreitag wants to merge 11 commits intomainfrom
Conversation
Store API keys in the OS keychain (macOS Keychain, Linux Secret Service, Windows Credential Manager) instead of plaintext files. Falls back to file-based storage when no keychain is available. - Add CredentialBackend interface with isSecure property and implementations for macOS, Linux, Windows, and plaintext file - Add async variants of config functions (resolveApiKeyAsync, storeApiKeyAsync, removeApiKeyAsync, removeAllApiKeysAsync, renameProfileAsync) - Add `resend auth migrate` command for migrating between storage backends - Add --insecure-storage flag and RESEND_CREDENTIAL_STORE env var - Update doctor command to check credential storage and use async key resolution - Show storage type in whoami output - Parallelize independent keychain operations in removeAll and migrate
- Fix whoami for keychain users (async resolveApiKeyAsync) - Fix Windows PowerShell injection by passing secret via stdin - Fix migration data loss: write file before deleting from keychain - Fix login.ts to use resolveApiKeyAsync and update description - Document macOS process arg exposure limitation - Add test coverage for async config, whoami keychain, migrate, windows backend
Test Windows (PasswordVault, Win32 P/Invoke, cmdkey), Linux (secret-tool + dbus/gnome-keyring), and macOS (security command) on GitHub Actions runners.
… CI setup - Add `await` to `requireClient()` call in listen.ts after merging main (requireClient became async in our credential storage branch) - Replace dbus-send CreateCollection with gnome-keyring-daemon --start and python3-secretstorage verification for more reliable Linux CI keyring setup
…ction secret-tool expects /org/freedesktop/secrets/collection/login which is created by --unlock, not --start. Combine install + keyring setup + secret-tool test into a single step so dbus/keyring env vars persist without GITHUB_ENV. Re-establish dbus+keyring in the Node.js step since actions/setup-node forces a step boundary.
- Use dbus-run-session to wrap secret-tool commands in a proper D-Bus session (fixes login collection not being created with dbus-launch) - Add detailed logging: env vars, unlock output, D-Bus services, and collections to diagnose any remaining keyring issues - Add Linux hint in login.ts when falling back to plaintext file storage, suggesting libsecret-tools + gnome-keyring installation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Store API keys in the OS keychain (macOS Keychain, Linux Secret Service, Windows Credential Manager) instead of plaintext files. Falls back to file-based storage when no keychain is available.
resend auth migratecommand for migrating between storage backends