Uploaded image for project: 'Compass '
  1. Compass
  2. COMPASS-3235

Eliminate multiple keychain password requests

    • 3
    • Iteration Bison, Iteration Manatee
    • Needed
    • Hide

      It's worth including in the release notes for Compass 1.20 that on OSX, after the upgrade, Compass will ask for the keychain password a few times (depending on the number of favorites). In this release, we changed the process that loads the favorites and our expectation is that this is the last time the user will have to enter their keychain password after an update.

      Show
      It's worth including in the release notes for Compass 1.20 that on OSX, after the upgrade, Compass will ask for the keychain password a few times (depending on the number of favorites). In this release, we changed the process that loads the favorites and our expectation is that this is the last time the user will have to enter their keychain password after an update.

      The multiple keychain password prompt has been a long-running unexplained behavior we haven't been able to get to the bottom of. A roll-up of bug reports:

      My hunch after re-reading these tickets is this happens after an auto-update or a manual upgrade. What's most likely is that we simply need to call keytar methods from the main process via ipc rather than from the renderer as we do today. See this example on stackoverflow.

      From this blog post:

      One other important note: I recommend you only call node-keytar from the main process. If you set a password from the main process and then attempt to get it from a renderer process, it’ll prompt a permissions dialog for the user (this is macOS only, Windows doesn’t seem to mind either way). Additionally, I think it’s cleaner and clearer to the user if the access control list has your app name and it’s icon, instead of MyApp Helper and the generic app icon which is what you get when a renderer sets it.

      More notes from previous tickets rolled up below.

      SecKeychainFindGenericPassword, which is the method keytar uses to read a stored connection password. In the discussion:

      This function automatically calls the function SecKeychainUnlock to display the Unlock Keychain dialog box if the keychain is currently locked.

      A few ideas on what might need to happen:

      • Maybe something in the keytar bindings is too specific?
        Maybe when we run app-migrations today, macOS needs to re-validate or something?
      • Maybe a bulk-read call to fetch all passwords with FindPassword would guarantee this unlock dialog is shown once and only once in all cases (a single, implicit SecKeychainUnlock call), but there are some potential security implications to consider.

            Assignee:
            durran.jordan@mongodb.com Durran Jordan
            Reporter:
            lucas.hrabovsky Lucas Hrabovsky (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: