Enhance Local Password and Key Management Security

[fabohax]

The current implementation of password and private key handling stores decrypted private keys in localStorage, which poses a significant security risk:

auth.ts:

nuxtClientInit() {
  const decryptedPrivKey = ref<string | null>(localStorage.getItem(AUTH_LOCAL_STORAGE_DECRYPTED_KEY));
  if (decryptedPrivKey.value) {
    try {
      this.privKey = decryptedPrivKey.value;
      this.pubKey = getPublicKey(Buffer.from(this.privKey, 'hex'));
      this.authMethod = AuthMethod.LOCAL;
    } catch (err) {
      console.warn('Error setting local key from local storage: ', err);
      this.delete();
    }
  }
  watch(() => this.privKey, (newVal) => {
    localStorage.setItem(AUTH_LOCAL_STORAGE_DECRYPTED_KEY, newVal || '');
  });
},

Here are suggested fixes:

1. Avoid storing decrypted private keys:

   • Keep decrypted keys in memory and never persist them to localStorage.
   • Use Vue's reactive state or composables to handle keys temporarily.

2. Use Web Crypto API for Encryption:

   • Encrypt sensitive data before storing it.
   • Derive keys securely using a passphrase with PBKDF2 or Argon2.

3. Implement a TTL (Time-to-Live):

   • Add an expiration mechanism for encrypted keys stored in localStorage.

[bilthon]

Keeping the unencrypted private key material in memory only is indeed a good idea. However take in consideration that a new private key management scheme will have to be introduced in the upcoming releases and the current one will be phased out. So I won't recommend putting too much time in modifying the current scheme for that.

You can more about the new scheme here: https://mostro.network/protocol/key_management.html

[fabohax]

Ok. Gonna check in detail.