Bug 332987

Summary: IMAP password is not saved
Product: trojita Reporter: Jono Bacon <jono>
Component: UbuntuAssignee: trojita-ubuntu-bugs
Status: RESOLVED FIXED    
Severity: normal CC: dpniel, trojita-bugs
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed In:

Description Jono Bacon 2014-04-02 22:57:48 UTC
I start the app, enter my mail server settings (Gmail), the app then connects. If I close down the app I have to re-enter my password; ideally the app will simply start and automatically load my INBOX.
Comment 1 Jan Kundrát 2014-04-03 05:26:34 UTC
Hi Jono, that's pretty much expected at this point. There's some upcoming work for merging the last year's GSoC results, and part of them are plugins for saving passwords in some secure storage.

Is there some Ubuntu-specific backend for password storage which can be used?

I'm very strongly against saving passwords on disk in cleartext.
Comment 2 Dan Chapman 2014-04-03 07:10:42 UTC
I can think of a couple of ways we can secure the password by either using

1) The Ubuntu.OnlineAccounts provider, which i believe mzanetti is going to be looking into ( see http://developer.ubuntu.com/api/qml/sdk-14.04/Ubuntu.OnlineAccounts/)

2) storing the password with SHA1 encryption in a U1DB document. ( for reference Nekelesh used this in his flash back app http://bazaar.launchpad.net/~cliffhanger-dev/cliffhanger/trunk/view/head:/backend/sha1.js)

My opinion is to go for online accounts, but i don't know how difficult that currently would be to implement
Comment 3 Jan Kundrát 2014-04-03 07:19:34 UTC
(In reply to comment #2)
> 2) storing the password with SHA1 encryption

Nope, hashing != encryption. An IMAP client needs the actual plaintext of a password in a general case. You cannot get around that requirement by any creative use of hashing, sorry.
Comment 4 Pali Rohár 2014-04-03 07:39:07 UTC
On Thu Apr   3 09:10:42 2014 Dan Chapman wrote:
> I can think of a couple of ways we can secure the password by either
> using
> 
> 1) The Ubuntu.OnlineAccounts provider, which i believe mzanetti is going
> to be looking into ( see
> http://developer.ubuntu.com/api/qml/sdk-14.04/Ubuntu.OnlineAccounts/)
> 

Is not Ubuntu using gnome-keyring for secure password storage?

> 2) storing the password with SHA1 encryption in a U1DB document. ( for
> reference Nekelesh used this in his flash back app
> http://bazaar.launchpad.net/~cliffhanger-dev/cliffhanger/trunk/view/head:/backend/sha1.js)
> 

I think that you should use some native platform way for secure password storing and not invening something new (which can be insecure).

Maybe we can provide some trojita password plugin for securely storing password (e.g encrypted with master password) on platforms where is no native password storage...

> My opinion is to go for online accounts, but i don't know how difficult
> that currently would be to implement
> 

You can look at trojita password plugin interface header file what is needed for implementing new password plugin:

https://projects.kde.org/projects/extragear/pim/trojita/repository/revisions/master/entry/src/Plugins/PasswordPlugin.h

Note that trojita could not use password plugins yet (I need to rebase and maybe modify my patches for it).
Comment 5 Dan Chapman 2014-04-03 10:00:19 UTC
(In reply to comment #4)
> On Thu Apr   3 09:10:42 2014 Dan Chapman wrote:
> > I can think of a couple of ways we can secure the password by either
> > using
> > 
> > 1) The Ubuntu.OnlineAccounts provider, which i believe mzanetti is going
> > to be looking into ( see
> > http://developer.ubuntu.com/api/qml/sdk-14.04/Ubuntu.OnlineAccounts/)
> > 
> 
> Is not Ubuntu using gnome-keyring for secure password storage?

Only on Ubuntu desktop, as far as i know phone and tablet don't have access to any system resources other than what's available via the sdk api or has been built into the application.

> 
> Maybe we can provide some trojita password plugin for securely storing
> password (e.g encrypted with master password) on platforms where is no
> native password storage...
> 
> > My opinion is to go for online accounts, but i don't know how difficult
> > that currently would be to implement
> > 
> 
> You can look at trojita password plugin interface header file what is needed
> for implementing new password plugin:
> 
> https://projects.kde.org/projects/extragear/pim/trojita/repository/revisions/
> master/entry/src/Plugins/PasswordPlugin.h
> 
> Note that trojita could not use password plugins yet (I need to rebase and
> maybe modify my patches for it).

I think this might be the best solution atm unless, we can create a generic IMAP/SMTP plugin for online accounts similar to that found in GNOME desktop's online-accounts. But that may take a huge chunk of work to implement since i believe on oauth services are supported through the accounts provider 

Some more info on the Accounts provider 

https://wiki.ubuntu.com/OnlineAccounts

https://docs.google.com/document/d/1UwAQTXgEyZSD3di6fAUS0W18rKxh8TXb1TwsmkgbGG0/edit#heading=h.2s0rnc8nwg9k

This may raise some issues though, if say the user wants to use there gmail account which would result in possibly using XOAUTH2 for authentication, which I don't even know is currently possible in trojita.
Comment 6 Jono Bacon 2014-04-03 17:23:12 UTC
I believe that Online Accounts is the right way to go here. This way you authenticate via Online Accounts and different services can be exposed there.

So, for example, I authenticate with Google in Online Accounts and then I would tap Mail and Calendar as services I want to consume and Trojita and the Calendar app will receive content from that account.

This will work across all Ubuntu devices.
Comment 7 Jono Bacon 2014-04-03 17:24:08 UTC
Also, API docs are at http://developer.ubuntu.com/api/qml/sdk-14.04/Ubuntu.OnlineAccounts/
Comment 8 Dan Chapman 2014-05-30 15:41:33 UTC
Git commit 3e54d6c527ada1d4de2832cc618dd0e44e6e01b5 by Dan Chapman.
Committed on 28/05/2014 at 15:27.
Pushed by jkt into branch 'master'.

Ubuntu: Implements PasswordWatcher for imap access

Now uses the passwordWatcher. When authRequest signal is
received it either auto connects or if no password saved ask
user to enter password.

REVIEW: 118130
Related: bug 333965

Removed using an anonymous function to call a reloadPassword slot

M  +1    -1    CMakeLists.txt
M  +3    -0    src/Ubuntu/main.cpp
M  +21   -4    src/Ubuntu/qml/trojita/ImapSettings.qml
M  +10   -2    src/Ubuntu/qml/trojita/InfoDialog.qml
M  +48   -16   src/Ubuntu/qml/trojita/SettingsTabs.qml
M  +14   -2    src/Ubuntu/qml/trojita/main.qml

http://commits.kde.org/trojita/3e54d6c527ada1d4de2832cc618dd0e44e6e01b5