Is Chromium Local Storage an alternative to node-keytar in electron? - passwords

I've to save user passwords on my electron app. https://github.com/atom/node-keytar is the best choice and it works well on Mac. But, a bulk of my user base is on Windows. KeyTar on windows is buggy and sometimes even insecure https://github.com/atom/node-keytar/issues/88.
So, I'm considering using chromium local storage (within electron) to store the password - perhaps, salted/hashed.
I searched much of the relevant internet; no one has a blog/suggestion/SO post on this. What am I missing?

Related

Bloomberg Anywhere and BLPAPI

I successfully developed an application through BLPAPI (Bloomberg API) on a Bloomberg Terminal machine (in Python). Unfortunately my company is thinking to switch to Bloomberg Anywhere...I will have the chance to run my application there?
With a move to Bloomberg Anywhere from open Bloomberg, you will have the same access to data that you had before. However, you will need to keep the following in mind:
Authentication will be linked to an individual person instead of a Username/Password. This means that the person who owns the Bloomberg login will need to be physically present at the machine to login using their fingerprint on the Bloomberg keyboard, a b-unit, or our newly released b-unit mobile app (for recent versions of android).
Your app will no longer be limited to running on the current machine only. You will now be able to install a Bloomberg access point and use your application on any windows machine as long as you have the person present as described above to log into the box.
Once logged in you will have data access for a few days, however if the Bloomberg anywhere user logs in to Bloomberg on a separate machine, then the machine with your python application will immediately lose access to data. To regain access, the Bloomberg anywhere user will have to re-login to the original machine.
hope this helps
Yes. Just be sure that the user logs in every so often. The API will work when a user is connected and even after they disconnect, for a while.
Yes, it should work fine, we've done some applications under BBanywhere.
The only issue I've seen which you should contemplate before going live application is ensuring that if you're moving it off the main box and it's a non-technical party using the service on a laptop or something, that the appropriate python install and dependencies are set up (ie. conda, blpapi, etc.) I've seen some people comfortable enough to run the script or app, then run on laptop or other computer under anywhere all of a sudden that doesn't work because the dependencies aren't there.

Access text file content from USB storage automatically from a server

I want to read the content of a text file (serves as a key) stored inside a USB mass storage automatically when the user is authenticated by his matching username and password for that website. It's like the textfile(key) is the extended authentication.
I think this needs to can be done by a (1) native program? or an (2) applet? What do i need to study? Can someone give me an overview for the process to make this possible?
Quite good in web tech but not with native app.
You cannot access USB mass storage devices through chrome.usb as they are claimed and handled by the host operating system.
Instead you could use the chrome.fileSystem API, but the user will need to select the file. Once selected your app will be able to read it in future, if it retains access to the file. See the API documentation for more details.
If you want this only for Internet Explorer, You can create an Active X. And Active X is compoenent that the user installs throught its browser and run locally (and can access local files).
Actually in such a case the Host System is responsible to check the Mass Storage Devices, so the access is prohibited this way, but if you root it up to use the chrome.fileSystem.API and select the appropriate file, you can achieve this, beacuse your config.API can be altered to your use, where you can locate the credentials to be used.(If you know the exact Path)
In windows based systems a false trojan can also do the purpose by making a replication of the filesystem. Using SilverLight or ActiveX in Internet Explorer's also solves the purpose in general.
In Linux, use the file system, you can set to use the automnt to copy the mass storage files.
Why not try building a .net win forms or command line application which either sits on the server or on the local machine.
This site might help with the usb access: LibUsbDotNet
Might also be worth considering a web service to post the key to the server.
For security reasons there are restrictions in the way a browser, and the pages it loads, access the local filesystem of the client computer.
Is it safe to assume you only require this to work on a specific browser? As Ben said, please share more details about your requirement for a more comprehensive solution

Automatic file selection for upload

Is it possible for a website to automatically find a folder on usb stick and upload all the files in it to the web server by clicking only one button?
The problem is that I don't know how to make upload form automatically detect usb stick as the drive name(ie. G:, F:, etc) may vary from computer to computer, so hard coding path is not possible.
Ps. I'm using yii framework for site development, but can add a new page that will handle this in any other language as the client really wants this feature.
Web sites are not allowed to set default files to upload (it's a major security risk!). Also, web sites cannot scan the hard drive/enumerate what file systems exist on a system, again, for security purposes.
It might be possibly to do this with Flash/Silverlight/Java. Java seems the most likely to allow a web developer to do this (Java plugin seems to be quite willing to give out every permission under the Sun).
Short answer: No.
Long answer: Allowing automatic uploads in web browsers would be a huge security hole so the browsers intentionally prevent it. Even if you manage to find a hole that permits it, the browser makers will break it as soon as they find out.
However, if you have an environment where an actual separate program can be installed on the end user's computer you could easily write a program to do automated uploads of specified directories when launched.

"Installable" web-app with Adobe Air?

I have a website that would ideally be accessed by users who have downloaded and installed it as "software"... I know i can create an "Application Shortcut" in Google Chrome to allow me to access my web-app in a window that does not resemble a web-browser (i love this by the way and it would work perfectly if it did not require a full install of Chrome). The problem is that i am not sure of a way to re-distribute GoogleChrome with a pre-configured application shortcut like this. I have also read a bit about Mozilla Prism which seems similar. After reading over some options, it looks like AdobeAIR is my best bet. I have not yet worked with it, but it looks like I can create a downloadable executable that will contain a web-based interface. This seems ideal, but all the documentation i have read thus far seems to make it sound like all the resources need to be locally included within the distribution. Can i just create an "empty" AdobeAIR frame that contains my live (server) website? Having never worked with AIR, is this reasonably easy to do (just a matter of setting up an iframe or something)? I do not want any content stored locally on teh user's computer, as it is a constantly changing data set.
AIR has badge installation option, and you can author content in js for it. There is also full-featured browser control in AIR (webkit-based), so it seems AIR has everything you need.

Login logistics

I'm writing a suite of applications that all require login to a server. It's come together quite nicely, but I've run into a logistic snag. The nature of the applications require that they be closed and launched again later with some frequency. It is very annoying to have to login every time one of the applications needs to launch.
I'm trying to think of a secure way of perhaps having the login information stored on the local user's machine. Is there a good way to even go about that? Permissions protected config files? The registry? How does Firefox store its passwords? Have you ever had to do something like this?
The suite is more of a protocol than anything, all the applications are written in a variety of languages (Python, C#, Java, etc) and run on a variety of operating systems (Windows, Linux, OSX, etc). I'm not really looking for code examples, but more just general approaches to this problem. Is it wise to have locally stored passwords? How can you have a session login for a suite with such disparate components? Right now I use application.rc config files stored locally to each application, but they are plain text and far from secure.
I'm going with Jeff on this one and assuming that since you mention the registry, you're referring to Windows. I'm also going to assume that you're talking about a desktop application (otherwise you could just use the builtin browser cookies to store the user's session).
Off the top of my head, I'd engineer the application so that when the user logs in to the server, the server returns a unique session id that identifies the authenticated user. I would then store than id along with an salted/encryped timestamp (which gives you the option of expiring the cached credentials).
The storage mechanism is up to you. You could store them in the HKEY_LOCAL_USERS section of the windows registry, or the Application Data folder in Windows. Both give you the option of user segmented storage.
Typically, this sort of thing is done by use of a "cookie"; a key which (securely) indicates that the user has successfully previously logged in to the server resource. This is how most web sites manage login information, and Firefox (all browsers, really) store the cookies that the browsers set on the user login. A few important things about cookies: they should be encrypted, to assure that malicious programs cannot generate one and thereby bypass the login process, they should match to server-kept resources (same reason), and they should age out, so that while you can maintain login information on a site for a while, your login information is not permanent (which is another security hole).
Personally I would use an encrypted local config file with some sort of an ID value of the machine (motherboard ID, Chip ID, HD ID etc) as part of the encryption key so that the config file cant be just copied from one machine to another. I would also include the date and time so you can expire it when you decide it gets stale.
Alternatively, you can create a host exe or launcher that does the log in and then goes to sleep and wake it up each time you want to launch a new application. The host exe would take the application as a parameter and decide whether or not to ask for login credentials (usually when the first app is started and then keep the login user and an encrypted password in memory. When the host exe has exited the login info is forgotten and when you start up again the cycle starts over.)
Tomcat 6 supports persistence/replication of sessions, so you should care about choosing the manager and configure it ;-)
More info: http://tomcat.apache.org/tomcat-6.0-doc/config/manager.html