One time sharing of credentials
I'm creating this project because I'm tired of using a variety of unreliable and complex processes for the transfer of credentials from one person to another.
- Open https://credexchange.web.app
- Select the "Upload" tab.
- Type in a credential that you'd like to transfer to another person and select "Upload".
- Record the output ID and password; both of these are required for receiving.
- Hand over the ID and password to the other person.
- Open https://credexchange.web.app
- Select the "Download" tab.
- Enter the ID and the Password that you received from the other person.
- Copy the returned credential; it is permanently deleted from the database at this point.
When the user presses the "Upload" button a few things happen:
- A new random password is genereted.
- The random password is used to encrypt the credential on the client.
- Once the credential is encrypted locally, it is uploaded to the server.
This means that there is no practical way to decrypt the password as decryption would always appear to work but you would never know if you had the real credential.
The password being generated randomly at upload time reduced the likelyhood of brute-force or guessing.
To download the credential you need to know both the ID of the credential and it's password.
Decryption occurs on the client side also.
cd ./frontend
flutter build web
Note: Google auth and firebase auth may be required for the first deployment.
Ensure you have a uniquely named Firebase project and have set the correct Firebase project ID in the firebase.json file.
firebase deploy
- Currently some values (like paths to functions and paths to the website for CORS) are static; these should be parameterised.
- The frontend could use some indication that the application is busy once the call to the backend has been made.
- I currently get an alert in Slack when people upload and download credentials (I don't see the content); this should be moved a proper analytics system if this is used.
- Change the verb of the "Upload" button to "Transfer" or "Store".
- Add a maximum time that a credential can live.
- Publish an API for the backend.
- Replace the two separate functions for uploading and downloading with a single function that handles different HTTP methods correctly.
- CLI to store and receive creds conveneiently.