Comments (7)
Yea I 100% agree. In fact most of the other integrations/RoamJS services have already moved to using local storage, just haven't gotten around to doing the same for otter yet, since it's a somewhat unique integration (the only one that asks for a password)
from otter.
poke on this, as I think it's a huge red flag on using this =.
also, another random thought on improving this is to store the password in an encrypted fashion (and retrieve decryption key from calling roamjs api, as we must call it anyway). variations possible on:
- having one rotating key for everything (only somewhat helpful, but adds a layer of protection from casual read & dump of localstorage. does not protect from a targeted attack)
- having user specific keys (better, but requires more infrastructure work on your side, and maybe at that point you might as-well store password on the server side)
from otter.
Not sure storing a decryption key with RoamJS necessarily increases security.
With the password in local storage, only one actor has access:
- those with access to the user's browser
With a decryption key stored in RoamJS, now there are two:
- those with access to the user's browser
- those with access to RoamJS
from otter.
The scheme I was proposing is: password stored in encrypted form in local storage, and decrypted on-demand by the backend when it's used (and the encryption key is stored on the backend).
In which case ideally the only time password exists in cleartext is on backend at execution time (which is the case right now as-well).
from otter.
Actually on reflection I think this provides a better security then I thought, as you don't actually need to store/or retrieve password in cleartext locally at all. So after set up you can't get back the password out of the browser (though you'd still be able to use the encrypted version of it with roamjs if the decryption key is not personalized)
from otter.
Ok yea I see how we could do this. Every RoamJS user has a personal API token that we may be able to use as the decryption key
from otter.
Thanks! will look over implementation in a bit 🙂
from otter.
Related Issues (15)
- Smartblock Integration HOT 1
- Pull in any new transcripts automatically and add them to a daily page HOT 1
- CORS error when trying to use the extension HOT 4
- Add an ability to tag text entries with a relative date HOT 1
- Add audio link as a possible template parameter HOT 2
- Enable auto-sharing of speeches when retrieved, to be able to add an iframe with otter UI into Roam HOT 1
- When auto-syncing speeches - write them in chronological order
- Grabbing conversations outside of Roam? HOT 5
- Investigate issues around auto importing HOT 4
- Support {speaker:ifmultiple} HOT 1
- Either Remove token requirement from Otter or migrate it to use samepage
- Cannot import if otter email is different than roamjs email HOT 2
- Encrypted Password - "Failed to fetch" HOT 1
- Multiple logins seems to rate limit
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from otter.