Interesting. So what’s stopping a TW owner from injecting a malicious script into a tiddler? On a side note, PAT’s May be more safely stored by using the CryptoJS library (AES) which requires a password to decode the PAT. I did something similar in my repo at GitHub.com/flancast90/lockifyJS, which could be simply adapted.
On Thu, Apr 22, 2021 at 7:25 AM PMario <[email protected]> wrote: > On Thursday, April 22, 2021 at 12:40:43 PM UTC+2 [email protected] wrote: > >> Whoops, just realized my mistake: only the creator of the TiddlyWiki or >> someone with the correct PAT can save. >> > > That's right. ... And there actually is a problem, that worried me at the > beginning and it still does > <https://github.com/Jermolene/TiddlyWiki5/issues/4525>. The existing TW > code, stores the PAT in plain text in the browser local storage. .. That > means, if I do have access to your PC it will probably take 10 seconds for > me to get your github access token. ... I'll need a mobile phone to make > photo. > > >> I guess my real question is if TiddlyWiki does save by html tag, or if it >> grabs the values of Tiddlers individually and safely adds this code into >> the existing repo file. If so, how is this possible? It would seem like the >> GitHub API does not allow you to use existing code and just add new content >> in. >> > > As I wrote. Using several files, doesn't make it more secure. ... Only > more complex. > > -------------- > > I think the discussion at github came to this conclusion. > > A more secure workflow can look like this. > > - The PAT is encrypted and stored to the local storage > - The user opens the wiki and views it. > - The PAT isn't needed. So nothing happens. > > - The user wants to save back to github > - A (to be made) dialogue asks for the password to decrypt the PAT ... > see [1] > - PAT is decrypted and used to save > - Decrypted PAT in memory is thrown away immediately > > [1] As written at the github issue, it's should be possible to use a > browser AddON, that let's you "autofill" the password-form. > The AddOn may also have a dialogue with a "master - PW" > > So ... We trade convenience for security. > > have fun! > mario > > -- > You received this message because you are subscribed to the Google Groups > "TiddlyWiki" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/tiddlywiki/2651a6ad-3672-4427-b03c-d151bb02ab0en%40googlegroups.com > <https://groups.google.com/d/msgid/tiddlywiki/2651a6ad-3672-4427-b03c-d151bb02ab0en%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/CALXL%2BrNza1Z3J-VAVOoMaj8nJXTG5UZVQAmH%3DJz4QhDtGBdaFA%40mail.gmail.com.
