Skip to content

Harden credential storage and sensitive logging#364

Open
KochC wants to merge 1 commit into
pytr-org:masterfrom
KochC:master
Open

Harden credential storage and sensitive logging#364
KochC wants to merge 1 commit into
pytr-org:masterfrom
KochC:master

Conversation

@KochC

@KochC KochC commented Jul 13, 2026

Copy link
Copy Markdown

Summary

This PR hardens the authentication flow against local credential and session disclosure.

Changes

  • Never persist the Trade Republic PIN; --store_credentials stores only the phone number.
  • Automatically remove the PIN from legacy two-line credential files.
  • Prompt interactively for the PIN when an existing web session cannot be resumed.
  • Create credential and cookie files with owner-only 0600 permissions.
  • Stop debug logs from dumping login responses, account settings, WebSocket payloads, and WebSocket errors, which may contain account or transaction data.
  • Add security regression tests for PIN non-persistence, legacy migration, file permissions, and redacted logging.
  • Document the security model and safe usage in the README.

Why this is useful

The previous flow wrote the PIN in plaintext under ~/.pytr/credentials. Any local user, backup, malware, or accidentally exposed home-directory artifact could recover the PIN and use it to initiate a new login. Passing the PIN through --pin can also expose it in shell history or process arguments.

The previous debug logging also serialized authentication/account responses and WebSocket messages. Debug logs can be retained, uploaded, or shared unintentionally, so avoiding sensitive payloads reduces accidental exposure of account and transaction data.

The change keeps cookie-based session reuse, while requiring the PIN again only when re-authentication is necessary. This removes long-lived plaintext PIN storage without making normal stored-session use more difficult.

Verification

  • uv run pytest
  • uv run ruff check .
  • uv run ruff format --check .
  • uv run mypy .

All checks pass.

Residual risks

Session cookies remain local bearer credentials and must be protected. The SDK still communicates with Trade Republic's private API and relies on HTTPS/TLS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant