Comment by conception
17 hours ago
!!DO NOT DO THIS!!
You can use 1password and 1password cli to give it mfa access and passwords at its leisure.
17 hours ago
!!DO NOT DO THIS!!
You can use 1password and 1password cli to give it mfa access and passwords at its leisure.
One prompt injection away from sending all your credentials to the Internet?
Agree, i was going the vaultwarden route and figured this pattern seems better: https://fly.io/blog/tokenized-tokens/
Secrets are encrypted and the proxy decrypts on the fly if destination is whitelisted for that token.
Reading through the discussion I was also thinking of the other fly.io blog post around their setup with macaroon tokens and being able to quite easily reduce the blast radius of them by adding more caveats. Feels like you could build out some kind of capability system with that that might mitigate some risks somewhat.