Make mal authentication more secure about anipy-cli HOT 25 CLOSED

Another idea: let the user decide to store the password or not. So If the pw field is empty it will prompt for the password else it just continues to login the user

from anipy-cli.

Another idea: let the user decide to store the password or not. So If the pw field is empty it will prompt for the password else it just continues to login the user

lel u were faster xD

from anipy-cli.

If you want, I can implement that. I just didn't have time to research solutions for accessing keyrings and stuff, but this is pretty straight-forward

I have time tomorrow for this. If you have time now I would appreciate it, I will do it tomorrow if you don't

alright, I think I'll be able to do it today

from anipy-cli.

Um, since the file is local there shouldn't be any problem if it is left in plain text. With oauth we would just have the same problem again as the token would have to be stored somewhere. Without storing the token the user would have to login again everytime. The only real thing we could do (but it's actually just security through obscurity) is storing the password encrypted, but then we have the same problem again: where do we store the encryption keys?

from anipy-cli.

If you really don't want to store the password , you can put it in the config if needed and then delete it again, of course this is rather inconvenient.

from anipy-cli.

I think @nadi726 got a point, though.

Maybe instead of using OAuth ( the MAL API is somewaht inconsistent when it comes to Documentation)
we can provide the option to use Credential Managers or Keyrings provided by the OS.

There should be some options, but as of now I don't have time to look into this.
Maybe at some later point or if someone wants to give it a shot, feel free :P

from anipy-cli.

Yeah thought about that, but I imagine this would make it harder to support all Operating systems. As such vaults would require a password for unlocking every time anyway, we could just go ahead and encrypt the password with a key phrase and save the encrypted password (the user has to type the key phrase on login)

from anipy-cli.

Yeah thought about that, but I imagine this would make it harder to support all Operating systems. As such vaults would require a password for unlocking every time anyway, we could just go ahead and encrypt the password with a key phrase and save the encrypted password (the user has to type the key phrase on login)

True.

How about we provide following options:

1. save password in config file (as is now)
2. support only setting username and prompt for password every time MAL is being used ( stored in app during runtime)

from anipy-cli.

Yeah good then I will do that. What do you think @nadi726?

from anipy-cli.

We can maybe also provide a commandline option for passing the password in automated usecases

from anipy-cli.

We can maybe also provide a commandline option for passing the password in automated usecases

Then it would be possible to use an alias in bash which sets the password like:
alias anipy-cli='anipy-cli --mal_password $( cat secure_file_or_script_with_password) '

$() could be a script that interfaces some password manager like KeePass or a keyring or just a text file with 0600 permissions or whatever.

You get the idea ^^

from anipy-cli.

I believe it would be easier if we do something like this: anipy-cli -m < password.txt this gives the password to the input() prompt

from anipy-cli.

You can try it

a = input()
print(a)

then run it with the < somethin.txt

from anipy-cli.

I believe it would be easier if we do something like this: anipy-cli -m < password.txt this gives the password to the input() prompt

easier, yes, but I wouldn't consider that "clean" :D

from anipy-cli.

why tho it would save us implementing the commandline option

from anipy-cli.

Imagine you want to use it with the alias like I described earlier.
Now this could lead to issues if you don't wanna use the MAL cli.
You would either need to prompt for the password first things first in every mode or it would lead to unexpected behavior ^^

from anipy-cli.

If you want, I can implement that. I just didn't have time to research solutions for accessing keyrings and stuff, but this is pretty straight-forward

from anipy-cli.

Imagine you want to use it with the alias like I described earlier. Now this could lead to issues if you don't wanna use the MAL cli. You would either need to prompt for the password first things first in every mode or it would lead to unexpected behavior ^^

Ok fair enough. I thought you wanted this for automating, like the little script you put in the readme.

from anipy-cli.

Imagine you want to use it with the alias like I described earlier. Now this could lead to issues if you don't wanna use the MAL cli. You would either need to prompt for the password first things first in every mode or it would lead to unexpected behavior ^^

Ok fair enough. I thought you wanted this for automating, like the little script you put in the readme.

Oh for that I just use the config file. If someone is able to read that, I got different problems already.
Nevertheless you can use the --mal_password flag for this usecase as well, so it's a win-win I guess

from anipy-cli.

I think that's great and will provide a fluid experience without adding too much to do each time in order to log in.
I prefer @dymattic's approach

That's kinda unrelated, but maybe in order to further improve user experience we can prompt for username and password when there is no username in the config(like, upon first using the mal cli)
and also ask the user whether to store the password.
something like:

Mal login.
username:
>> example
password: 
>> example
Remember password(Y/n) ?
>>

from anipy-cli.

Oh for that I just use the config file. If someone is able to read that, I got different problems already. Nevertheless you can use the --mal_password flag for this usecase as well, so it's a win-win I guess

I just thought this would be powerfull, because it enables anyone who has security concerns to come up with their own solution on how to provide the password securely and maybe even in a convenient way at the same time.
We jsut provide an interface and don't need to bother implementing a "more secure" solution for storing the password :P

from anipy-cli.

If you want, I can implement that. I just didn't have time to research solutions for accessing keyrings and stuff, but this is pretty straight-forward

I have time tomorrow for this. If you have time now I would appreciate it, I will do it tomorrow if you don't

from anipy-cli.

I think that's great and will provide a fluid experience without adding too much to do each time in order to log in. I prefer @dymattic's approach

That's kinda unrelated, but maybe in order to further improve user experience we can prompt for username and password when there is no username in the config(like, upon first using the mal cli) and also ask the user whether to store the password. something like:

Mal login.
username:
>> example
password: 
>> example
Remember password(Y/n) ?
>>

While It probably would be easier to use, the overhead implementing this isn't really worth it.
How about, instead of prompting for the credentials, we provide the user with information on how to set them?

There already is a an option for displaying the config file location, so that should be easy enough.

from anipy-cli.

While It probably would be easier to use, the overhead implementing this isn't really worth it. How about, instead of prompting for the credentials, we provide the user with information on how to set them?

There already is a an option for displaying the config file location, so that should be easy enough.

Uhm, no prompting is fine, but storing is the issue.

from anipy-cli.

While It probably would be easier to use, the overhead implementing this isn't really worth it. How about, instead of prompting for the credentials, we provide the user with information on how to set them?
There already is a an option for displaying the config file location, so that should be easy enough.

That's fine. My main concern is how in the current state a user doesn't have enough indication of how to set it up.
I guess it can just be a detailed message if the mal cli is called without setting up first or maybe add something to the readme.

from anipy-cli.