As the title suggests, after running run-cli credentials, the user email and password is stored in plain text at ~/.config/.run-cli/run-cli-credentials.toml, giving attackers potential control over the whole user account.
I suggest either adding a token-based authentication system in the run.codes site (ideally limiting access the same way github or AWS tokens), adding password storing in the same way as in docker login, or support a --credentials option that let users secure their passwords in other places and pass it via command line when needed (of course, ideally in an environment variable, because of commands history file).
As the title suggests, after running
run-cli credentials, the user email and password is stored in plain text at ~/.config/.run-cli/run-cli-credentials.toml, giving attackers potential control over the whole user account.I suggest either adding a token-based authentication system in the run.codes site (ideally limiting access the same way github or AWS tokens), adding password storing in the same way as in docker login, or support a --credentials option that let users secure their passwords in other places and pass it via command line when needed (of course, ideally in an environment variable, because of commands history file).