Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implemented Apple Keychain support with migration procedure #44

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Implemented Apple Keychain support with migration procedure #44

wants to merge 1 commit into from
+300 −78

Conversation

aik099
Copy link

@aik099 aik099 commented Feb 12, 2025
edited
Loading

Implementation details:

  • using dedicated alfred-totp.keychain keychain (created on the fly as needed)
  • using security command to manage keychain, which results in the following behavior:
    • user is asked for a strong password at keychain creation time
    • the Alfred workflow isn't aware of the that password
    • the keychain itself auto-locks after a certain period of time, and if the user needs to reenter his password to unlock and use it
  • using security dump-keychain command to get all accounts with their passwords in plain text for performance reasons
  • supports manual account/secret migration from the "~/.gauth" plain text file into encrypted Apple Keychain using gauth add migrate command
  • extracted the current config file-based implementation into a separate storage class
  • added new Apple keychain-based implementation as a separate storage class
  • not configurable, but could be an easy switch between different storage classes
  • removed obsolete code for key, hexkey handling in the "~/.gauth", because gauth add only populates secret key

Test Plan

  1. backup your existing workflow
  2. install the workflow from this PR
  3. activate Alfred (Option+Space)
  4. type gauth (keyword to activate this workflow)
  5. if you're testing this workflow for the first time, then:
    • Alfred window will be closed
    • Apple Keychain with alfred-totp name creation dialog will appear
    • type a new strong password in both fields
    • hit the OK button
    • activate Alfred (Option+Space)
  6. confirm that you're not seeing any of the accounts
  7. select the Add a new secret entry and hit ENTER
  8. you'll be presented with gauth add prompt
  9. type migrate (so that the final text would say gauth add migrate) and hit ENTER
  10. you'll get a notification from Alfred telling about account migration results from the ~/.gauth file
  11. activate Alfred (Option+Space)
  12. replace gauth add migrate prompt with gauth
  13. confirm, that you see all your accounts

TODO:

  • Write documentation.
  • Create a smoother migration experience, e.g. selecting the error entry about an empty keychain would automatically migrate the data.

Other

aik099
aik099 commented Feb 12, 2025
View reviewed changes
src/otp.py
Comment on lines -50 to -57
def get_hotp_key(key=None, secret=None, hexkey=None):
if hexkey:
key = hexkey.decode('hex')
if secret:
secret = secret.replace(' ', '')
secret = pad_base32_str(secret, '=')
key = base64.b32decode(secret, casefold=True)
return key
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed branches of logic that aren't used:

  • only the hexkey argument given;
  • only the key argument given.

src/workflow.py
Comment on lines -58 to -66
try:
key = self.config.get(account, 'key')
except:
key = None

try:
hexkey = self.config.get(account, 'hexkey')
except:
hexkey = None
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed unused code for dealing with key and hexkey configuration variables.

@aik099 aik099 force-pushed the alfred-keychain-support branch from ecd0789 to 53295f5 Compare February 12, 2025 20:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Store secrets in the Keychain
1 participant
@aik099