How does flyctl deal with authentication?

Not a debugging question or anything, everything is fine. I’m also incredibly inexperienced with creating CLI/desktop apps in general, so this might be too basic of a question.

I’ve been wondering this: how do desktop CLIs/gui applications store tokens for authentication? I noticed that flyctl creates a .fly directory with a config.yml which seems to have the access_token. Is that it?

  • Is it possible for said apps to use cookies? Or is this only a thing for browsers?
  • Is it a good idea to store a token in plain text? I’m not sure how else to avoid that though.
1 Like

It’s certainly a tricky question of how to do authentication!

You are right in that cookies are sent by browsers. They can be accessed by scripts but that can result in issues with XSS attacks, and so there is a httponly flag to make sure only a browser can access it.

As for storing the token it does seem like Fly uses the config file. The token could be stored encrypted … but then the application accessing it would need the key to decrypt it. So the problem simply moves there. If someone naughty can access your hard drive to see the contents of files, they could do a lot of other bad stuff while there.

One approach is OAuth2 which a lot of services like YouTube use to authenticate for their APIs. There the token can expire (doesn’t have to) which adds a layer of protection if it’s compromised. YouTube uses that approach for its API v3. But … then you need a refresh token to authenticate requests for a new access token, once it expires. So where do you store that (refresh token)? Again, the problem is still there. It’s just moved. :frowning:

I see Fly has actually done a good post about tokens and how they are looking to use Macaroon tokens. Take a look at: API Tokens: A Tedious Survey · Fly

2 Likes

Thank you for your explanation, Greg!

1 Like