Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Tech] User credentials are no longer stored in plain text #1167

Merged
merged 1 commit into from Apr 6, 2022
Merged

[Tech] User credentials are no longer stored in plain text #1167

merged 1 commit into from Apr 6, 2022

Conversation

dawidgarus
Copy link
Contributor

@dawidgarus dawidgarus commented Mar 27, 2022
edited

As title says.
Unfortunately, legendary still saves tokens as a plain text internally, but we don't need to create copy of it.

Users may be asked to grant access to system's keychain after upgrade.
See: https://www.electronjs.org/docs/latest/api/safe-storage/

WARNING:
Switching to this branch will cause migration and your credentials for GOG will be encrypted.
To switch back to other branches you will need to restore old configuration files.

Use the following Checklist if you have changed something on the Backend or Frontend:

  • Tested the feature and it's working on a current and clean install.
  • Tested the main App features and they are still working on a current and clean install. (Login, Install, Play, Uninstall, Move games, etc.)
  • Created / Updated Tests (If necessary)
  • Created / Updated documentation (If necessary)

@JakobDev
Copy link
Contributor

Just a Question: Does this work on the Flatpak version of Heroic? The doc says that it uses a password management tool, which is not available in a Flatpak, if you don't use Portals. I can't find any information, if the safe-storage API supports that. It would not good, if this change destroys the Flatpak version of Heroic.

@flavioislima
Copy link
Member

@JakobDev thanks for bringing this up. That's quite a good concern and we will need to find an answer for that before merging this.

@flavioislima flavioislima added the pr:testing This PR is in testing, don't merge. label Mar 28, 2022
@flavioislima
Copy link
Member

@dawidgarus can we disable this for Heroic Flatpak for now? until we find a solution or answers for that?
We have a global constant to check if it is flatpak or not so you can use that.

@dawidgarus
Copy link
Contributor Author

@flavioislima I'll investigate it. I didn't check it with flatpak build, but I assume it will fail gracefully thanks to isEncryptionAvailable().
I am however concered with: electron/electron#32206
I don't like depending on existance of BrowserWindow to read credentials. This should be done 100% on the backend.
I might look into alternative like: https://github.com/atom/node-keytar

@dawidgarus
Copy link
Contributor Author

So yeah, flatpak doesn't work. And it turns out that the encryption doesn't really do much except obscuring the data. All programs have access to system's keyring, so it doesn't prevent malicious programs from stealing your account, only makes it a little bit harder.
So I reduced the scope of this MR to just removing copy legendary credentials that heroic keeps and is not necessary.

flavioislima
flavioislima approved these changes Apr 6, 2022
View reviewed changes
Copy link
Member

@flavioislima flavioislima left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! 👍🏽

@flavioislima flavioislima merged commit f3461ca into Heroic-Games-Launcher:main Apr 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flavioislima flavioislima flavioislima approved these changes

Assignees
No one assigned
Labels
pr:testing This PR is in testing, don't merge.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@dawidgarus @JakobDev @flavioislima