As in, when I install an add-on, and Firefox restarts, it should accept a password (only the first time when installing). And when the user wants to disable or remove the add-on, it will only comply upon entering the same password? In which part would the code be kept?
You cannot. Even if you disable add-on uninstall - the user can always close the browser and remove the extension manually (removing the directory on disk will do).
That said, the secure way of storing passwords is the login manager. They will be stored encrypted on disk if the user defines a master password. Of course, the user himself can always see the stored passwords (under Options / Security / Saved Passwords). So you probably want to store a salted hash of the password rather than the password itself.
You can also use AddonManager.addAddonListener() to get notified whenever an add-on is being disabled or uninstalled. You can cancel the action by calling addon.cancelUninstall() or setting addon.userDisabled = false.
The above is merely for reference - it won't really help you achieve your goal.
Related
I am generating a random strong password for every user and want the user to use the same password for accessing the application, since the password is going to be hard to remember I wish to store the same in the keychain so it is easy to access.
Of course you can, you must be looking for nativescript-secure-storage plugin.
tns plugin add nativescript-secure-storage
Is it possible for an app or a web page to change a password stored in smart lock without user interaction? In other words, must a user press a button in order for a password to be changed in smart lock?
If you call the save API and the user has an existing credential with a matching identifier, you can update the password or account type field without showing the user any UI (but they had to see UI and accept to save the info with their Google Account the first time in order to have an existing credential stored)
I have exact the same problem as describe here:
"User interaction is not allowed" trying to sign an OSX app using codesign
So now I want to change the private key access control to Allow all applications to access this item. When I check this option everything looks fine; I've been asked to enter the administrator password and after that the windows closes.
But when I check the Access Control of the key again the other option is checked again; only allow list of applications...
Already found a solution:
Remove the cert/key from System.
Add the cert/key to login and change the Access Control (changing here worked...).
Copy the cert/key to System. The access control is as it should be.
We have merchants logged in to a system, from which we want to link them to our Magento instance with some kind of admin token that will log them in directly without them having to manually login.
I see the rp_token field in the admin_user table but that appears to be related to a password reset, which probably isn't what we want.
Have done a bit of searching, found this thread which is related but is dealing with secret keys specifically (which will probably be my second challenge to resolve after resolving this one).
I'm guessing this isn't supported in core, but maybe there's a good extension out there to do it?
Or if not, what would be the best approach to implement? I'm guessing there is probably an event I could hook to look at a GET or POST param (which maybe could be a hash of the username and hashed password), then bypass the normal login() method which relies on username and plain text password.
That feels like it could be a little risky though? Any thoughts?
That feels like it could be a little risky though? Any thoughts?
This is extremely risky, but it can be done safely. I can speak on a similar issue I had in developing QuarkBar, an administration bar for Magento that is set to release this weekend.
So to show the bar, I need to verify the admin is logged in. Unfortunately that's hard to do on the frontend module, since there are two separate sessions. So to get around that I've created a quarkbar_session table. I use OpenSSL to store a secure crypt key once an admin is logged in, that I then check for on each request and match it to a cookie. If it matches, the admin is verified.
It's a little different from what you want of course, since I first set the key when the admin is logged in (it's an observer event). But it should get you started.
Source (NOT ready for production, use it for ideas): https://github.com/zschuessler/QuarkBar/tree/master/app/code/community/Zaclee/QuarkBar
Also, note that I'm storing the secure key so that I can access the admin backend. The solutions in your link say to disable it. You don't have to, check out QuarkBar for implementation.
I have an command line application (not rails) that needs the user to provide their username and password for the website the cli accesses.
I don't want to make the user enter their details for each and every command they execute.
How do I store the details without compromising security and storing the details without encryption? If I encrypt the password, where should I store the pass key so it is still secure?
I imagine an implementation similar to the way the Heroku gem works would be good.
UPDATE:
So I have gone ahead and implemented this in my application, but something doesn't feel quite right about the solution yet.
Prior to accessing the website for the first time, the user is prompted to enter their username and password. Following successful login, the user is asked whether to store the details for later. If yes, the password is encrypted using a key - however, as this is a ruby gem, the key is stored in the application in plain text.
Is there another way to do this. The file containing the username/password is now secure BUT the key to unlock it is stored in the application code.
On the update: no. If you need access to the plain text password, you can only obfuscate the password. You cannot safely store it. The key needs to be in plain, or the key that encrypts that key needs to be in plain, ad infinity. Can't be done.