On Thursday, April 22, 2021 at 12:40:43 PM UTC+2 [email protected] wrote: > Whoops, just realized my mistake: only the creator of the TiddlyWiki or > someone with the correct PAT can save. >
That's right. ... And there actually is a problem, that worried me at the beginning and it still does <https://github.com/Jermolene/TiddlyWiki5/issues/4525>. The existing TW code, stores the PAT in plain text in the browser local storage. .. That means, if I do have access to your PC it will probably take 10 seconds for me to get your github access token. ... I'll need a mobile phone to make photo. > I guess my real question is if TiddlyWiki does save by html tag, or if it > grabs the values of Tiddlers individually and safely adds this code into > the existing repo file. If so, how is this possible? It would seem like the > GitHub API does not allow you to use existing code and just add new content > in. > As I wrote. Using several files, doesn't make it more secure. ... Only more complex. -------------- I think the discussion at github came to this conclusion. A more secure workflow can look like this. - The PAT is encrypted and stored to the local storage - The user opens the wiki and views it. - The PAT isn't needed. So nothing happens. - The user wants to save back to github - A (to be made) dialogue asks for the password to decrypt the PAT ... see [1] - PAT is decrypted and used to save - Decrypted PAT in memory is thrown away immediately [1] As written at the github issue, it's should be possible to use a browser AddON, that let's you "autofill" the password-form. The AddOn may also have a dialogue with a "master - PW" So ... We trade convenience for security. have fun! mario -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/2651a6ad-3672-4427-b03c-d151bb02ab0en%40googlegroups.com.
