From 96660a90e4cd296a2922d7a547de4cd9d0b1928b Mon Sep 17 00:00:00 2001 From: DanConwayDev Date: Fri, 1 Sep 2023 00:00:00 +0000 Subject: feat(login) password login using encrypted nsec Enables the user to only handle the nsec upon first use of the tool by encrypting it with a password and storing it on disk in an application cache. The approach to encryption draws heavily from that used by the gossip nostr client. - unencrypted nsec is zeroed from memory - a salt is used to defend against rainbow tables - computationally expensive key stretching defends against brute-force attacks of passwords with low entropy. There is UX trade-off between decryption speed and key-stretching computation. This UX challenge is exacerbated in a cli tool as decryption must take place more regularly. Thought was put into the selected n_log and a heavily reduced value is provided for long passwords where security benefits are smaller. A more granular reducing in computation was also considered by rejected to avoided to revealing just how weak a password is as most weak passwords are reused. --- flake.nix | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) (limited to 'flake.nix') diff --git a/flake.nix b/flake.nix index 7c36e2d..2fa8d8a 100644 --- a/flake.nix +++ b/flake.nix @@ -18,19 +18,13 @@ devShells.default = mkShell { nativeBuildInputs = [ - # stable to be introduced when the following issue is resolved + # override rustfmt with nightly toolchain version to support unstable features + # ideally this wouldn't be pinned to a specific nightly version but + # selectLatestNightlyWith isn't support with mixed toolchains # https://github.com/oxalica/rust-overlay/issues/136 - # rust-bin.stable.latest.default - # nightly for rustfmt - ( - rust-bin.selectLatestNightlyWith (toolchain: toolchain.default.override { - extensions = [ - "rust-src" - "rustfmt" - "clippy" - ]; - }) - ) + (lib.hiPrio rust-bin.nightly."2023-09-01".rustfmt) + rust-bin.stable.latest.default + ]; buildInputs = [ -- cgit v1.2.3