barrett/cp.nvim
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(security): harden credential storage and transmission (#369)
Some checks failed
luarocks / ci (push) Has been cancelled
Details
luarocks / publish (push) Has been cancelled
Details

Browse source 
## Problem

Credential and cookie files were world-readable (0644), passwords
transited via `CP_CREDENTIALS` env var (visible in `/proc/PID/environ`),
and Kattis/USACO echoed passwords back through stdout unnecessarily.

## Solution

Set 0600 permissions on `cp-nvim.json` and `cookies.json` after every
write, pass credentials via stdin pipe instead of env var, and stop
emitting passwords in ndjson from Kattis/USACO `LoginResult` (CSES token
emission unchanged).
This commit is contained in:
Barrett Ruth 2026-03-07 18:14:34 -05:00 committed by GitHub
parent 771dbc7753
commit b53c8ca44e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 131 additions and 82 deletions
Download patch file Download diff file Expand all files Collapse all files

79
lua/cp/credentials.lua
View file

@ -14,46 +14,50 @@ local STATUS_MESSAGES = {
---@param platform string
---@param display string
local function prompt_and_login(platform, display)
vim.ui.input({ prompt = '[cp.nvim]: ' .. display .. ' username: ' }, function(username)
if not username or username == '' then
logger.log('Cancelled', { level = vim.log.levels.WARN })
return
end
vim.fn.inputsave()
local password = vim.fn.inputsecret('[cp.nvim]: ' .. display .. ' password: ')
vim.fn.inputrestore()
if not password or password == '' then
logger.log('Cancelled', { level = vim.log.levels.WARN })
return
end
vim.ui.input(
{ prompt = '[cp.nvim]: ' .. display .. ' username (<Esc> to cancel): ' },
function(username)
if not username or username == '' then
logger.log(display .. ' login cancelled', { level = vim.log.levels.WARN })
return
end
vim.fn.inputsave()
local password = vim.fn.inputsecret('[cp.nvim]: ' .. display .. ' password: ')
vim.fn.inputrestore()
if not password or password == '' then
logger.log(display .. ' login cancelled', { level = vim.log.levels.WARN })
return
end
local credentials = { username = username, password = password }
local credentials = { username = username, password = password }
local scraper = require('cp.scraper')
scraper.login(platform, credentials, function(ev)
vim.schedule(function()
local msg = STATUS_MESSAGES[ev.status] or ev.status
logger.log(display .. ': ' .. msg, { level = vim.log.levels.INFO, override = true })
local scraper = require('cp.scraper')
scraper.login(platform, credentials, function(ev)
vim.schedule(function()
local msg = STATUS_MESSAGES[ev.status] or ev.status
logger.log(display .. ': ' .. msg, { level = vim.log.levels.INFO, override = true })
end)
end, function(result)
vim.schedule(function()
if result.success then
cache.set_credentials(platform, credentials)
logger.log(
display .. ' login successful',
{ level = vim.log.levels.INFO, override = true }
)
else
local err = result.error or 'unknown error'
cache.clear_credentials(platform)
logger.log(
display .. ' login failed: ' .. (constants.LOGIN_ERRORS[err] or err),
{ level = vim.log.levels.ERROR }
)
prompt_and_login(platform, display)
end
end)
end)
end, function(result)
vim.schedule(function()
if result.success then
cache.set_credentials(platform, credentials)
logger.log(
display .. ' login successful',
{ level = vim.log.levels.INFO, override = true }
)
else
local err = result.error or 'unknown error'
cache.clear_credentials(platform)
logger.log(
display .. ' login failed: ' .. (constants.LOGIN_ERRORS[err] or err),
{ level = vim.log.levels.ERROR }
)
end
end)
end)
end)
end
)
end
---@param platform string?
@ -117,6 +121,7 @@ function M.logout(platform)
if ok and type(data) == 'table' then
data[platform] = nil
vim.fn.writefile({ vim.fn.json_encode(data) }, cookie_file)
vim.fn.setfperm(cookie_file, 'rw-------')
end
end
logger.log(display .. ' credentials cleared', { level = vim.log.levels.INFO, override = true })