mirrors/bun.sh
1
0
Fork 0
mirror of https://github.com/oven-sh/bun synced 2026-02-09 10:28:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Introduce Bun.secrets API (#21973)

Browse Source 
This PR adds `Bun.secrets`, a new API for securely storing and
retrieving credentials using the operating system's native credential
storage locally. This helps developers avoid storing sensitive data in
plaintext config files.

```javascript
// Store a GitHub token securely
await Bun.secrets.set({
  service: "my-cli-tool",
  name: "github-token",
  value: "ghp_xxxxxxxxxxxxxxxxxxxx"
});

// Retrieve it when needed
const token = await Bun.secrets.get({
  service: "my-cli-tool",
  name: "github-token"
});

// Use with fallback to environment variable
const apiKey = await Bun.secrets.get({
  service: "my-app",
  name: "api-key"
}) || process.env.API_KEY;
```

Marking this as a draft because Linux and Windows have not been manually
tested yet. This API is only really meant for local development usecases
right now, but it would be nice if in the future to support adapters for
production or CI usecases.

### Core API
- `Bun.secrets.get({ service, name })` - Retrieve a stored credential
- `Bun.secrets.set({ service, name, value })` - Store or update a
credential
- `Bun.secrets.delete({ service, name })` - Delete a stored credential

### Platform Support
- **macOS**: Uses Keychain Services via Security.framework
- **Linux**: Uses libsecret (works with GNOME Keyring, KWallet, etc.)
- **Windows**: Uses Windows Credential Manager via advapi32.dll

### Implementation Highlights
- Non-blocking - all operations run on the threadpool
- Dynamic loading - no hard dependencies on system libraries
- Sensitive data is zeroed after use
- Consistent API across all platforms

## Use Cases

This API is particularly useful for:
- CLI tools that need to store authentication tokens
- Development tools that manage API keys
- Any tool that currently stores credentials in `~/.npmrc`,
`~/.aws/credentials` or in environment variables that're globally loaded

## Testing

Comprehensive test suite included with coverage for:
- Basic CRUD operations
- Empty strings and special characters
- Unicode support
- Concurrent operations
- Error handling

All tests pass on macOS. Linux and Windows implementations are complete
but would benefit from additional platform testing.

## Documentation

- Complete API documentation in `docs/api/secrets.md`
- TypeScript definitions with detailed JSDoc comments and examples

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Claude Bot <claude-bot@bun.sh>
Co-authored-by: Claude <noreply@anthropic.com>
This commit is contained in:
Jarred Sumner
2025-08-23 06:57:00 -07:00
committed by GitHub
parent 8fad98ffdb
commit 707fc4c3a2
16 changed files with 2854 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cmake/sources/CxxSources.txt
View File

@@ -87,6 +87,7 @@ src/bun.js/bindings/JSNodePerformanceHooksHistogramConstructor.cpp
src/bun.js/bindings/JSNodePerformanceHooksHistogramPrototype.cpp
src/bun.js/bindings/JSPropertyIterator.cpp
src/bun.js/bindings/JSS3File.cpp
src/bun.js/bindings/JSSecrets.cpp
src/bun.js/bindings/JSSocketAddressDTO.cpp
src/bun.js/bindings/JSStringDecoder.cpp
src/bun.js/bindings/JSWrappingFunction.cpp
@@ -189,6 +190,9 @@ src/bun.js/bindings/ProcessIdentifier.cpp
src/bun.js/bindings/RegularExpression.cpp
src/bun.js/bindings/S3Error.cpp
src/bun.js/bindings/ScriptExecutionContext.cpp
src/bun.js/bindings/SecretsDarwin.cpp
src/bun.js/bindings/SecretsLinux.cpp
src/bun.js/bindings/SecretsWindows.cpp
src/bun.js/bindings/Serialization.cpp
src/bun.js/bindings/ServerRouteList.cpp
src/bun.js/bindings/spawn.cpp

1
cmake/sources/ZigSources.txt
View File

@@ -186,6 +186,7 @@ src/bun.js/bindings/JSPromiseRejectionOperation.zig
src/bun.js/bindings/JSPropertyIterator.zig
src/bun.js/bindings/JSRef.zig
src/bun.js/bindings/JSRuntimeType.zig
src/bun.js/bindings/JSSecrets.zig
src/bun.js/bindings/JSString.zig
src/bun.js/bindings/JSType.zig
src/bun.js/bindings/JSUint8Array.zig

319
docs/api/secrets.md Normal file
View File

@@ -0,0 +1,319 @@
Store and retrieve sensitive credentials securely using the operating system's native credential storage APIs.
**Experimental:** This API is new and experimental. It may change in the future.
```typescript
import { secrets } from "bun";
const githubToken = await secrets.get({
service: "my-cli-tool",
name: "github-token",
});
if (!githubToken) {
const response = await fetch("https://api.github.com/name", {
headers: { "Authorization": `token ${githubToken}` },
});
console.log("Please enter your GitHub token");
} else {
await secrets.set({
service: "my-cli-tool",
name: "github-token",
value: prompt("Please enter your GitHub token"),
});
console.log("GitHub token stored");
}
```
## Overview
`Bun.secrets` provides a cross-platform API for managing sensitive credentials that CLI tools and development applications typically store in plaintext files like `~/.npmrc`, `~/.aws/credentials`, or `.env` files. It uses:
- **macOS**: Keychain Services
- **Linux**: libsecret (GNOME Keyring, KWallet, etc.)
- **Windows**: Windows Credential Manager
All operations are asynchronous and non-blocking, running on Bun's threadpool.
Note: in the future, we may add an additional `provider` option to make this better for production deployment secrets, but today this API is mostly useful for local development tools.
## API
### `Bun.secrets.get(options)`
Retrieve a stored credential.
```typescript
import { secrets } from "bun";
const password = await Bun.secrets.get({
service: "my-app",
name: "alice@example.com",
});
// Returns: string | null
// Or if you prefer without an object
const password = await Bun.secrets.get("my-app", "alice@example.com");
```
**Parameters:**
- `options.service` (string, required) - The service or application name
- `options.name` (string, required) - The username or account identifier
**Returns:**
- `Promise<string | null>` - The stored password, or `null` if not found
### `Bun.secrets.set(options, value)`
Store or update a credential.
```typescript
import { secrets } from "bun";
await secrets.set({
service: "my-app",
name: "alice@example.com",
value: "super-secret-password",
});
```
**Parameters:**
- `options.service` (string, required) - The service or application name
- `options.name` (string, required) - The username or account identifier
- `value` (string, required) - The password or secret to store
**Notes:**
- If a credential already exists for the given service/name combination, it will be replaced
- The stored value is encrypted by the operating system
### `Bun.secrets.delete(options)`
Delete a stored credential.
```typescript
const deleted = await Bun.secrets.delete({
service: "my-app",
name: "alice@example.com",
value: "super-secret-password",
});
// Returns: boolean
```
**Parameters:**
- `options.service` (string, required) - The service or application name
- `options.name` (string, required) - The username or account identifier
**Returns:**
- `Promise<boolean>` - `true` if a credential was deleted, `false` if not found
## Examples
### Storing CLI Tool Credentials
```javascript
// Store GitHub CLI token (instead of ~/.config/gh/hosts.yml)
await Bun.secrets.set({
service: "my-app.com",
name: "github-token",
value: "ghp_xxxxxxxxxxxxxxxxxxxx",
});
// Or if you prefer without an object
await Bun.secrets.set("my-app.com", "github-token", "ghp_xxxxxxxxxxxxxxxxxxxx");
// Store npm registry token (instead of ~/.npmrc)
await Bun.secrets.set({
service: "npm-registry",
name: "https://registry.npmjs.org",
value: "npm_xxxxxxxxxxxxxxxxxxxx",
});
// Retrieve for API calls
const token = await Bun.secrets.get({
service: "gh-cli",
name: "github.com",
});
if (token) {
const response = await fetch("https://api.github.com/name", {
headers: {
"Authorization": `token ${token}`,
},
});
}
```
### Migrating from Plaintext Config Files
```javascript
// Instead of storing in ~/.aws/credentials
await Bun.secrets.set({
service: "aws-cli",
name: "AWS_SECRET_ACCESS_KEY",
value: process.env.AWS_SECRET_ACCESS_KEY,
});
// Instead of .env files with sensitive data
await Bun.secrets.set({
service: "my-app",
name: "api-key",
value: "sk_live_xxxxxxxxxxxxxxxxxxxx",
});
// Load at runtime
const apiKey =
(await Bun.secrets.get({
service: "my-app",
name: "api-key",
})) || process.env.API_KEY; // Fallback for CI/production
```
### Error Handling
```javascript
try {
await Bun.secrets.set({
service: "my-app",
name: "alice",
value: "password123",
});
} catch (error) {
console.error("Failed to store credential:", error.message);
}
// Check if a credential exists
const password = await Bun.secrets.get({
service: "my-app",
name: "alice",
});
if (password === null) {
console.log("No credential found");
}
```
### Updating Credentials
```javascript
// Initial password
await Bun.secrets.set({
service: "email-server",
name: "admin@example.com",
value: "old-password",
});
// Update to new password
await Bun.secrets.set({
service: "email-server",
name: "admin@example.com",
value: "new-password",
});
// The old password is replaced
```
## Platform Behavior
### macOS (Keychain)
- Credentials are stored in the name's login keychain
- The keychain may prompt for access permission on first use
- Credentials persist across system restarts
- Accessible by the name who stored them
### Linux (libsecret)
- Requires a secret service daemon (GNOME Keyring, KWallet, etc.)
- Credentials are stored in the default collection
- May prompt for unlock if the keyring is locked
- The secret service must be running
### Windows (Credential Manager)
- Credentials are stored in Windows Credential Manager
- Visible in Control Panel → Credential Manager → Windows Credentials
- Persist with `CRED_PERSIST_ENTERPRISE` flag so it's scoped per user
- Encrypted using Windows Data Protection API
## Security Considerations
1. **Encryption**: Credentials are encrypted by the operating system's credential manager
2. **Access Control**: Only the name who stored the credential can retrieve it
3. **No Plain Text**: Passwords are never stored in plain text
4. **Memory Safety**: Bun zeros out password memory after use
5. **Process Isolation**: Credentials are isolated per name account
## Limitations
- Maximum password length varies by platform (typically 2048-4096 bytes)
- Service and name names should be reasonable lengths (< 256 characters)
- Some special characters may need escaping depending on the platform
- Requires appropriate system services:
- Linux: Secret service daemon must be running
- macOS: Keychain Access must be available
- Windows: Credential Manager service must be enabled
## Comparison with Environment Variables
Unlike environment variables, `Bun.secrets`:
- ✅ Encrypts credentials at rest (thanks to the operating system)
- ✅ Avoids exposing secrets in process memory dumps (memory is zeroed after its no longer needed)
- ✅ Survives application restarts
- ✅ Can be updated without restarting the application
- ✅ Provides name-level access control
- ❌ Requires OS credential service
- ❌ Not very useful for deployment secrets (use environment variables in production)
## Best Practices
1. **Use descriptive service names**: Match the tool or application name
If you're building a CLI for external use, you probably should use a UTI (Uniform Type Identifier) for the service name.
```javascript
// Good - matches the actual tool
{ service: "com.docker.hub", name: "username" }
{ service: "com.vercel.cli", name: "team-name" }
// Avoid - too generic
{ service: "api", name: "key" }
```
2. **Credentials-only**: Don't store application configuration in this API
This API is slow, you probably still need to use a config file for some things.
3. **Use for local development tools**:
- ✅ CLI tools (gh, npm, docker, kubectl)
- ✅ Local development servers
- ✅ Personal API keys for testing
- ❌ Production servers (use proper secret management)
## TypeScript
```typescript
namespace Bun {
interface SecretsOptions {
service: string;
name: string;
}
interface Secrets {
get(options: SecretsOptions): Promise<string | null>;
set(options: SecretsOptions, value: string): Promise<void>;
delete(options: SecretsOptions): Promise<boolean>;
}
const secrets: Secrets;
}
```
## See Also
- [Environment Variables](./env.md) - For deployment configuration
- [Bun.password](./password.md) - For password hashing and verification

281
packages/bun-types/bun.d.ts vendored
View File

@@ -2124,6 +2124,287 @@ declare module "bun" {
): string;
};
/**
* Securely store and retrieve sensitive credentials using the operating system's native credential storage.
*
* Uses platform-specific secure storage:
* - **macOS**: Keychain Services
* - **Linux**: libsecret (GNOME Keyring, KWallet, etc.)
* - **Windows**: Windows Credential Manager
*
* @category Security
*
* @example
* ```ts
* import { secrets } from "bun";
*
* // Store a credential
* await secrets.set({
* service: "my-cli-tool",
* name: "github-token",
* value: "ghp_xxxxxxxxxxxxxxxxxxxx"
* });
*
* // Retrieve a credential
* const token = await secrets.get({
* service: "my-cli-tool",
* name: "github-token"
* });
*
* if (token) {
* console.log("Token found:", token);
* } else {
* console.log("Token not found");
* }
*
* // Delete a credential
* const deleted = await secrets.delete({
* service: "my-cli-tool",
* name: "github-token"
* });
* console.log("Deleted:", deleted); // true if deleted, false if not found
* ```
*
* @example
* ```ts
* // Replace plaintext config files
* import { secrets } from "bun";
*
* // Instead of storing in ~/.npmrc
* await secrets.set({
* service: "npm-registry",
* name: "https://registry.npmjs.org",
* value: "npm_xxxxxxxxxxxxxxxxxxxx"
* });
*
* // Instead of storing in ~/.aws/credentials
* await secrets.set({
* service: "aws-cli",
* name: "default",
* value: process.env.AWS_SECRET_ACCESS_KEY
* });
*
* // Load at runtime with fallback
* const apiKey = await secrets.get({
* service: "my-app",
* name: "api-key"
* }) || process.env.API_KEY;
* ```
*/
const secrets: {
/**
* Retrieve a stored credential from the operating system's secure storage.
*
* @param options - The service and name identifying the credential
* @returns The stored credential value, or null if not found
*
* @example
* ```ts
* const password = await Bun.secrets.get({
* service: "my-database",
* name: "admin"
* });
*
* if (password) {
* await connectToDatabase(password);
* }
* ```
*
* @example
* ```ts
* // Check multiple possible locations
* const token =
* await Bun.secrets.get({ service: "github", name: "token" }) ||
* await Bun.secrets.get({ service: "gh-cli", name: "github.com" }) ||
* process.env.GITHUB_TOKEN;
* ```
*/
get(options: {
/**
* The service or application name.
*
* Use a unique identifier for your application to avoid conflicts.
* Consider using reverse domain notation for production apps (e.g., "com.example.myapp").
*/
service: string;
/**
* The account name, username, or resource identifier.
*
* This identifies the specific credential within the service.
* Common patterns include usernames, email addresses, or resource URLs.
*/
name: string;
}): Promise<string | null>;
/**
* Store or update a credential in the operating system's secure storage.
*
* If a credential already exists for the given service/name combination, it will be replaced.
* The credential is encrypted by the operating system and only accessible to the current user.
*
* @param options - The service and name identifying the credential
* @param value - The secret value to store (e.g., password, API key, token)
*
* @example
* ```ts
* // Store an API key
* await Bun.secrets.set({
* service: "openai-api",
* name: "production",
* value: "sk-proj-xxxxxxxxxxxxxxxxxxxx"
* });
* ```
*
* @example
* ```ts
* // Update an existing credential
* const newPassword = generateSecurePassword();
* await Bun.secrets.set({
* service: "email-server",
* name: "admin@example.com",
* value: newPassword
* });
* ```
*
* @example
* ```ts
* // Store credentials from environment variables
* if (process.env.DATABASE_PASSWORD) {
* await Bun.secrets.set({
* service: "postgres",
* name: "production",
* value: process.env.DATABASE_PASSWORD
* });
* delete process.env.DATABASE_PASSWORD; // Remove from memory
* }
* ```
*
* @example
* ```ts
* // Delete a credential using empty string (equivalent to delete())
* await Bun.secrets.set({
* service: "my-service",
* name: "api-key",
* value: "" // Empty string deletes the credential
* });
* ```
*
* @example
* ```ts
* // Store credential with unrestricted access for CI environments
* await Bun.secrets.set({
* service: "github-actions",
* name: "deploy-token",
* value: process.env.DEPLOY_TOKEN,
* allowUnrestrictedAccess: true // Allows access without user interaction on macOS
* });
* ```
*/
set(options: {
/**
* The service or application name.
*
* Use a unique identifier for your application to avoid conflicts.
* Consider using reverse domain notation for production apps (e.g., "com.example.myapp").
*/
service: string;
/**
* The account name, username, or resource identifier.
*
* This identifies the specific credential within the service.
* Common patterns include usernames, email addresses, or resource URLs.
*/
name: string;
/**
* The secret value to store.
*
* This should be a sensitive credential like a password, API key, or token.
* The value is encrypted by the operating system before storage.
*
* Note: To delete a credential, use the delete() method or pass an empty string.
* An empty string value will delete the credential if it exists.
*/
value: string;
/**
* Allow unrestricted access to stored credentials on macOS.
*
* When true, allows all applications to access this keychain item without user interaction.
* This is useful for CI environments but reduces security.
*
* @default false
* @platform macOS - Only affects macOS keychain behavior. Ignored on other platforms.
*/
allowUnrestrictedAccess?: boolean;
}): Promise<void>;
/**
* Delete a stored credential from the operating system's secure storage.
*
* @param options - The service and name identifying the credential
* @returns true if a credential was deleted, false if not found
*
* @example
* ```ts
* // Delete a single credential
* const deleted = await Bun.secrets.delete({
* service: "my-app",
* name: "api-key"
* });
*
* if (deleted) {
* console.log("Credential removed successfully");
* } else {
* console.log("Credential was not found");
* }
* ```
*
* @example
* ```ts
* // Clean up multiple credentials
* const services = ["github", "npm", "docker"];
* for (const service of services) {
* await Bun.secrets.delete({
* service,
* name: "token"
* });
* }
* ```
*
* @example
* ```ts
* // Clean up on uninstall
* if (process.argv.includes("--uninstall")) {
* const deleted = await Bun.secrets.delete({
* service: "my-cli-tool",
* name: "config"
* });
* process.exit(deleted ? 0 : 1);
* }
* ```
*/
delete(options: {
/**
* The service or application name.
*
* Use a unique identifier for your application to avoid conflicts.
* Consider using reverse domain notation for production apps (e.g., "com.example.myapp").
*/
service: string;
/**
* The account name, username, or resource identifier.
*
* This identifies the specific credential within the service.
* Common patterns include usernames, email addresses, or resource URLs.
*/
name: string;
}): Promise<boolean>;
};
/**
* A build artifact represents a file that was generated by the bundler @see {@link Bun.build}
*

1
src/bun.js.zig
View File

@@ -468,6 +468,7 @@ pub const Run = struct {
bun.api.napi.fixDeadCodeElimination();
bun.crash_handler.fixDeadCodeElimination();
@import("./bun.js/bindings/JSSecrets.zig").fixDeadCodeElimination();
vm.globalExit();
}

9
src/bun.js/bindings/BunObject.cpp
View File

@@ -40,6 +40,7 @@
#include "BunObjectModule.h"
#include "JSCookie.h"
#include "JSCookieMap.h"
#include "Secrets.h"
#ifdef WIN32
#include <ws2def.h>
@@ -90,6 +91,7 @@ static JSValue BunObject_lazyPropCb_wrap_ArrayBufferSink(VM& vm, JSObject* bunOb
static JSValue constructCookieObject(VM& vm, JSObject* bunObject);
static JSValue constructCookieMapObject(VM& vm, JSObject* bunObject);
static JSValue constructSecretsObject(VM& vm, JSObject* bunObject);
static JSValue constructEnvObject(VM& vm, JSObject* object)
{
@@ -799,6 +801,7 @@ JSC_DEFINE_HOST_FUNCTION(functionFileURLToPath, (JSC::JSGlobalObject * globalObj
which BunObject_callback_which DontDelete|Function 1
RedisClient BunObject_lazyPropCb_wrap_ValkeyClient DontDelete|PropertyCallback
redis BunObject_lazyPropCb_wrap_valkey DontDelete|PropertyCallback
secrets constructSecretsObject DontDelete|PropertyCallback
write BunObject_callback_write DontDelete|Function 1
zstdCompressSync BunObject_callback_zstdCompressSync DontDelete|Function 1
zstdDecompressSync BunObject_callback_zstdDecompressSync DontDelete|Function 1
@@ -896,6 +899,12 @@ static JSValue constructCookieMapObject(VM& vm, JSObject* bunObject)
return WebCore::JSCookieMap::getConstructor(vm, zigGlobalObject);
}
static JSValue constructSecretsObject(VM& vm, JSObject* bunObject)
{
auto* zigGlobalObject = jsCast<Zig::GlobalObject*>(bunObject->globalObject());
return Bun::createSecretsObject(vm, zigGlobalObject);
}
JSC::JSObject* createBunObject(VM& vm, JSObject* globalObject)
{
return JSBunObject::create(vm, jsCast<Zig::GlobalObject*>(globalObject));

8
src/bun.js/bindings/ErrorCode.ts
View File

@@ -304,5 +304,13 @@ const errors: ErrorCodeMapping = [
["ERR_VM_DYNAMIC_IMPORT_CALLBACK_MISSING", TypeError],
["HPE_INVALID_HEADER_TOKEN", Error],
["HPE_HEADER_OVERFLOW", Error],
["ERR_SECRETS_NOT_AVAILABLE", Error],
["ERR_SECRETS_NOT_FOUND", Error],
["ERR_SECRETS_ACCESS_DENIED", Error],
["ERR_SECRETS_PLATFORM_ERROR", Error],
["ERR_SECRETS_USER_CANCELED", Error],
["ERR_SECRETS_INTERACTION_NOT_ALLOWED", Error],
["ERR_SECRETS_AUTH_FAILED", Error],
["ERR_SECRETS_INTERACTION_REQUIRED", Error],
];
export default errors;

397
src/bun.js/bindings/JSSecrets.cpp Normal file
View File

@@ -0,0 +1,397 @@
#include "ErrorCode.h"
#include "root.h"
#include "Secrets.h"
#include "ZigGlobalObject.h"
#include <JavaScriptCore/JSCJSValue.h>
#include <JavaScriptCore/JSObject.h>
#include <JavaScriptCore/JSPromise.h>
#include <JavaScriptCore/JSString.h>
#include <JavaScriptCore/ObjectConstructor.h>
#include <JavaScriptCore/Error.h>
#include <JavaScriptCore/ErrorInstance.h>
#include <JavaScriptCore/Identifier.h>
#include <wtf/text/WTFString.h>
#include <wtf/text/CString.h>
#include <mutex>
#include "ObjectBindings.h"
namespace Bun {
using namespace JSC;
using namespace WTF;
namespace Secrets {
JSValue Error::toJS(VM& vm, JSGlobalObject* globalObject) const
{
auto scope = DECLARE_THROW_SCOPE(vm);
// Map error type to appropriate error code
ErrorCode errorCode;
switch (type) {
case ErrorType::NotFound:
errorCode = ErrorCode::ERR_SECRETS_NOT_FOUND;
break;
case ErrorType::AccessDenied:
// Map specific macOS error codes to more specific error codes
if (code == -25308) {
errorCode = ErrorCode::ERR_SECRETS_INTERACTION_NOT_ALLOWED;
} else if (code == -25293) {
errorCode = ErrorCode::ERR_SECRETS_AUTH_FAILED;
} else if (code == -25315) {
errorCode = ErrorCode::ERR_SECRETS_INTERACTION_REQUIRED;
} else if (code == -128) {
errorCode = ErrorCode::ERR_SECRETS_USER_CANCELED;
} else {
errorCode = ErrorCode::ERR_SECRETS_ACCESS_DENIED;
}
break;
case ErrorType::PlatformError:
errorCode = ErrorCode::ERR_SECRETS_PLATFORM_ERROR;
break;
default:
errorCode = ErrorCode::ERR_SECRETS_PLATFORM_ERROR;
break;
}
// Include platform error code if available
if (code != 0) {
auto messageWithCode = makeString(message, " (code: "_s, String::number(code), ")"_s);
RELEASE_AND_RETURN(scope, createError(globalObject, errorCode, messageWithCode));
} else {
RELEASE_AND_RETURN(scope, createError(globalObject, errorCode, message));
}
}
}
// Options struct that will be passed through the threadpool
struct SecretsJobOptions {
WTF_MAKE_STRUCT_TZONE_ALLOCATED(SecretsJobOptions);
enum Operation {
GET = 0,
SET = 1,
DELETE_OP = 2 // Named DELETE_OP to avoid conflict with Windows DELETE macro
};
Operation op;
CString service; // UTF-8 encoded, thread-safe
CString name; // UTF-8 encoded, thread-safe
CString password; // UTF-8 encoded, thread-safe (only for SET)
bool allowUnrestrictedAccess = false; // Controls security vs headless access (only for SET)
// Results (filled in by threadpool)
Secrets::Error error;
std::optional<WTF::Vector<uint8_t>> resultPassword;
bool deleted = false;
SecretsJobOptions(Operation op, CString&& service, CString&& name, CString&& password, bool allowUnrestrictedAccess = false)
: op(op)
, service(service)
, name(name)
, password(password)
, allowUnrestrictedAccess(allowUnrestrictedAccess)
{
}
~SecretsJobOptions()
{
if (password.length() > 0) {
memsetSpan(password.mutableSpan(), 0);
}
if (resultPassword.has_value()) {
memsetSpan(resultPassword.value().mutableSpan(), 0);
}
if (name.length() > 0) {
memsetSpan(name.mutableSpan(), 0);
}
if (service.length() > 0) {
memsetSpan(service.mutableSpan(), 0);
}
}
static SecretsJobOptions* fromJS(JSGlobalObject* globalObject, ArgList args, Operation operation)
{
auto& vm = globalObject->vm();
auto scope = DECLARE_THROW_SCOPE(vm);
String service;
String name;
String password;
bool allowUnrestrictedAccess = false;
const auto fromOptionsObject = [&]() -> bool {
if (args.size() < 1) {
Bun::ERR::INVALID_ARG_TYPE(scope, globalObject, "Expected options to be an object"_s);
return false;
}
JSObject* options = args.at(0).getObject();
if (!options) {
Bun::ERR::INVALID_ARG_TYPE(scope, globalObject, "Expected options to be an object"_s);
return false;
}
JSValue serviceValue = getIfPropertyExistsPrototypePollutionMitigation(globalObject, options, Identifier::fromString(vm, "service"_s));
RETURN_IF_EXCEPTION(scope, false);
JSValue nameValue = getIfPropertyExistsPrototypePollutionMitigation(globalObject, options, vm.propertyNames->name);
RETURN_IF_EXCEPTION(scope, false);
if (!serviceValue.isString() || !nameValue.isString()) {
Bun::ERR::INVALID_ARG_TYPE(scope, globalObject, "Expected service and name to be strings"_s);
return false;
}
if (operation == SET) {
JSValue passwordValue = getIfPropertyExistsPrototypePollutionMitigation(globalObject, options, vm.propertyNames->value);
RETURN_IF_EXCEPTION(scope, false);
if (passwordValue.isString()) {
password = passwordValue.toWTFString(globalObject);
RETURN_IF_EXCEPTION(scope, false);
} else if (passwordValue.isUndefined() || passwordValue.isNull()) {
Bun::ERR::INVALID_ARG_TYPE(scope, globalObject, "Expected 'value' to be a string. To delete the secret, call secrets.delete instead."_s);
return false;
} else {
Bun::ERR::INVALID_ARG_TYPE(scope, globalObject, "Expected 'value' to be a string"_s);
return false;
}
// Extract allowUnrestrictedAccess parameter (optional, defaults to false)
JSValue allowUnrestrictedAccessValue = getIfPropertyExistsPrototypePollutionMitigation(globalObject, options, Identifier::fromString(vm, "allowUnrestrictedAccess"_s));
RETURN_IF_EXCEPTION(scope, false);
if (!allowUnrestrictedAccessValue.isUndefined()) {
allowUnrestrictedAccess = allowUnrestrictedAccessValue.toBoolean(globalObject);
RETURN_IF_EXCEPTION(scope, false);
}
}
service = serviceValue.toWTFString(globalObject);
RETURN_IF_EXCEPTION(scope, false);
name = nameValue.toWTFString(globalObject);
RETURN_IF_EXCEPTION(scope, false);
return true;
};
switch (operation) {
case DELETE_OP:
case SET: {
if (args.size() > 2 && args.at(0).isString() && args.at(1).isString() && args.at(2).isString()) {
service = args.at(0).toWTFString(globalObject);
RETURN_IF_EXCEPTION(scope, nullptr);
name = args.at(1).toWTFString(globalObject);
RETURN_IF_EXCEPTION(scope, nullptr);
password = args.at(2).toWTFString(globalObject);
RETURN_IF_EXCEPTION(scope, nullptr);
break;
}
if (!fromOptionsObject()) {
RELEASE_AND_RETURN(scope, nullptr);
}
break;
}
case GET: {
if (args.size() > 1 && args.at(0).isString() && args.at(1).isString()) {
service = args.at(0).toWTFString(globalObject);
RETURN_IF_EXCEPTION(scope, nullptr);
name = args.at(1).toWTFString(globalObject);
RETURN_IF_EXCEPTION(scope, nullptr);
break;
}
if (!fromOptionsObject()) {
RELEASE_AND_RETURN(scope, nullptr);
}
break;
}
default: {
ASSERT_NOT_REACHED();
break;
}
}
scope.assertNoException();
if (service.isEmpty() || name.isEmpty()) {
Bun::ERR::INVALID_ARG_TYPE(scope, globalObject, "Expected service and name to not be empty"_s);
RELEASE_AND_RETURN(scope, nullptr);
}
RELEASE_AND_RETURN(scope, new SecretsJobOptions(operation, service.utf8(), name.utf8(), password.utf8(), allowUnrestrictedAccess));
}
};
// C interface implementation for Zig binding
extern "C" {
// Runs on the threadpool - does the actual platform API work
void Bun__SecretsJobOptions__runTask(SecretsJobOptions* opts, JSGlobalObject* global)
{
// Already have CString fields, pass them directly to platform APIs
switch (opts->op) {
case SecretsJobOptions::GET: {
auto result = Secrets::getPassword(opts->service, opts->name, opts->error);
if (result.has_value()) {
// Store as String for main thread (String is thread-safe to construct from CString)
opts->resultPassword = WTFMove(result.value());
}
break;
}
case SecretsJobOptions::SET:
opts->error = Secrets::setPassword(opts->service, opts->name, WTFMove(opts->password), opts->allowUnrestrictedAccess);
break;
case SecretsJobOptions::DELETE_OP:
opts->deleted = Secrets::deletePassword(opts->service, opts->name, opts->error);
break;
}
}
// Runs on the main thread after threadpool completes - resolves the promise
void Bun__SecretsJobOptions__runFromJS(SecretsJobOptions* opts, JSGlobalObject* global, EncodedJSValue promiseValue)
{
auto& vm = global->vm();
auto scope = DECLARE_THROW_SCOPE(vm);
JSPromise* promise = jsCast<JSPromise*>(JSValue::decode(promiseValue));
if (opts->error.isError()) {
if (opts->error.type == Secrets::ErrorType::NotFound) {
if (opts->op == SecretsJobOptions::GET) {
// For GET operations, NotFound resolves with null
RELEASE_AND_RETURN(scope, promise->resolve(global, jsNull()));
} else if (opts->op == SecretsJobOptions::DELETE_OP) {
// For DELETE_OP operations, NotFound means we return false
RELEASE_AND_RETURN(scope, promise->resolve(global, jsBoolean(false)));
}
}
JSValue error = opts->error.toJS(vm, global);
RETURN_IF_EXCEPTION(scope, );
RELEASE_AND_RETURN(scope, promise->reject(global, error));
} else {
// Success cases
JSValue result;
switch (opts->op) {
case SecretsJobOptions::GET:
if (opts->resultPassword.has_value()) {
auto resultPassword = WTFMove(opts->resultPassword.value());
result = jsString(vm, String::fromUTF8(resultPassword.span()));
RETURN_IF_EXCEPTION(scope, );
memsetSpan(resultPassword.mutableSpan(), 0);
} else {
result = jsNull();
}
break;
case SecretsJobOptions::SET:
result = jsUndefined();
break;
case SecretsJobOptions::DELETE_OP:
result = jsBoolean(opts->deleted);
break;
}
RETURN_IF_EXCEPTION(scope, );
RELEASE_AND_RETURN(scope, promise->resolve(global, result));
}
}
void Bun__SecretsJobOptions__deinit(SecretsJobOptions* opts)
{
delete opts;
}
// Zig binding exports
void Bun__Secrets__scheduleJob(JSGlobalObject* global, SecretsJobOptions* opts, EncodedJSValue promise);
} // extern "C"
JSC_DEFINE_HOST_FUNCTION(secretsGet, (JSGlobalObject * globalObject, CallFrame* callFrame))
{
auto& vm = globalObject->vm();
auto scope = DECLARE_THROW_SCOPE(vm);
if (callFrame->argumentCount() < 1) {
Bun::ERR::INVALID_ARG_TYPE(scope, globalObject, "secrets.get requires an options object"_s);
return JSValue::encode(jsUndefined());
}
auto* options = SecretsJobOptions::fromJS(globalObject, ArgList(callFrame), SecretsJobOptions::GET);
RETURN_IF_EXCEPTION(scope, {});
ASSERT(options);
JSPromise* promise = JSPromise::create(vm, globalObject->promiseStructure());
Bun__Secrets__scheduleJob(globalObject, options, JSValue::encode(promise));
return JSValue::encode(promise);
}
JSC_DEFINE_HOST_FUNCTION(secretsSet, (JSGlobalObject * globalObject, CallFrame* callFrame))
{
auto& vm = globalObject->vm();
auto scope = DECLARE_THROW_SCOPE(vm);
SecretsJobOptions* options = SecretsJobOptions::fromJS(globalObject, ArgList(callFrame), SecretsJobOptions::SET);
RETURN_IF_EXCEPTION(scope, {});
ASSERT(options);
JSPromise* promise = JSPromise::create(vm, globalObject->promiseStructure());
Bun__Secrets__scheduleJob(globalObject, options, JSValue::encode(promise));
return JSValue::encode(promise);
}
JSC_DEFINE_HOST_FUNCTION(secretsDelete, (JSGlobalObject * globalObject, CallFrame* callFrame))
{
auto& vm = globalObject->vm();
auto scope = DECLARE_THROW_SCOPE(vm);
if (callFrame->argumentCount() < 1) {
Bun::ERR::INVALID_ARG_TYPE(scope, globalObject, "secrets.delete requires an options object"_s);
return JSValue::encode(jsUndefined());
}
auto* options = SecretsJobOptions::fromJS(globalObject, ArgList(callFrame), SecretsJobOptions::DELETE_OP);
RETURN_IF_EXCEPTION(scope, {});
ASSERT(options);
JSPromise* promise = JSPromise::create(vm, globalObject->promiseStructure());
Bun__Secrets__scheduleJob(globalObject, options, JSValue::encode(promise));
return JSValue::encode(promise);
}
JSObject* createSecretsObject(VM& vm, JSGlobalObject* globalObject)
{
JSObject* object = constructEmptyObject(globalObject);
object->putDirect(vm, vm.propertyNames->get,
JSFunction::create(vm, globalObject, 1, "get"_s, secretsGet, ImplementationVisibility::Public),
PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly);
object->putDirect(vm, vm.propertyNames->set,
JSFunction::create(vm, globalObject, 2, "set"_s, secretsSet, ImplementationVisibility::Public),
PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly);
object->putDirect(vm, vm.propertyNames->deleteKeyword,
JSFunction::create(vm, globalObject, 1, "delete"_s, secretsDelete, ImplementationVisibility::Public),
PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly);
return object;
}
} // namespace Bun

86
src/bun.js/bindings/JSSecrets.zig Normal file
View File

@@ -0,0 +1,86 @@
pub const SecretsJob = struct {
vm: *jsc.VirtualMachine,
task: jsc.WorkPoolTask,
any_task: jsc.AnyTask,
poll: Async.KeepAlive = .{},
promise: jsc.Strong,
ctx: *SecretsJobOptions,
// Opaque pointer to C++ SecretsJobOptions struct
const SecretsJobOptions = opaque {
pub extern fn Bun__SecretsJobOptions__runTask(ctx: *SecretsJobOptions, global: *jsc.JSGlobalObject) void;
pub extern fn Bun__SecretsJobOptions__runFromJS(ctx: *SecretsJobOptions, global: *jsc.JSGlobalObject, promise: jsc.JSValue) void;
pub extern fn Bun__SecretsJobOptions__deinit(ctx: *SecretsJobOptions) void;
};
pub fn create(global: *jsc.JSGlobalObject, ctx: *SecretsJobOptions, promise: jsc.JSValue) *SecretsJob {
const vm = global.bunVM();
const job = bun.new(SecretsJob, .{
.vm = vm,
.task = .{
.callback = &runTask,
},
.any_task = undefined,
.ctx = ctx,
.promise = jsc.Strong.create(promise, global),
});
job.any_task = jsc.AnyTask.New(SecretsJob, &runFromJS).init(job);
return job;
}
pub fn runTask(task: *jsc.WorkPoolTask) void {
const job: *SecretsJob = @fieldParentPtr("task", task);
var vm = job.vm;
defer vm.enqueueTaskConcurrent(jsc.ConcurrentTask.create(job.any_task.task()));
SecretsJobOptions.Bun__SecretsJobOptions__runTask(job.ctx, vm.global);
}
pub fn runFromJS(this: *SecretsJob) void {
defer this.deinit();
const vm = this.vm;
if (vm.isShuttingDown()) {
return;
}
const promise = this.promise.get();
if (promise == .zero) return;
SecretsJobOptions.Bun__SecretsJobOptions__runFromJS(this.ctx, vm.global, promise);
}
fn deinit(this: *SecretsJob) void {
SecretsJobOptions.Bun__SecretsJobOptions__deinit(this.ctx);
this.poll.unref(this.vm);
this.promise.deinit();
bun.destroy(this);
}
pub fn schedule(this: *SecretsJob) void {
this.poll.ref(this.vm);
jsc.WorkPool.schedule(&this.task);
}
};
// Helper function for C++ to call with opaque pointer
export fn Bun__Secrets__scheduleJob(global: *jsc.JSGlobalObject, options: *SecretsJob.SecretsJobOptions, promise: jsc.JSValue) void {
const job = SecretsJob.create(global, options, promise.withAsyncContextIfNeeded(global));
job.schedule();
}
// Prevent dead code elimination
pub fn fixDeadCodeElimination() void {
std.mem.doNotOptimizeAway(&Bun__Secrets__scheduleJob);
}
comptime {
_ = &fixDeadCodeElimination;
}
const std = @import("std");
const bun = @import("bun");
const Async = bun.Async;
const jsc = bun.jsc;

50
src/bun.js/bindings/Secrets.h Normal file
View File

@@ -0,0 +1,50 @@
#pragma once
#include <JavaScriptCore/JSGlobalObject.h>
#include <JavaScriptCore/JSObject.h>
#include <JavaScriptCore/JSPromise.h>
#include <wtf/text/WTFString.h>
#include <wtf/Vector.h>
#include <span>
#include <optional>
namespace JSC {
class JSValue;
}
namespace Bun {
// Platform-agnostic secrets interface
namespace Secrets {
enum class ErrorType {
None,
NotFound,
AccessDenied,
PlatformError
};
struct Error {
ErrorType type = ErrorType::None;
WTF::String message;
int code = 0;
bool isError() const { return type != ErrorType::None; }
JSC::JSValue toJS(JSC::VM& vm, JSC::JSGlobalObject* globalObject) const;
};
// Sync platform-specific implementations (used by threadpool)
// These use CString for thread safety - only called from threadpool
Error setPassword(const WTF::CString& service, const WTF::CString& name, WTF::CString&& password, bool allowUnrestrictedAccess = false);
// Use a WTF::Vector here so we can zero out the memory.
std::optional<WTF::Vector<uint8_t>> getPassword(const WTF::CString& service, const WTF::CString& name, Error& error);
bool deletePassword(const WTF::CString& service, const WTF::CString& name, Error& error);
} // namespace Secrets
// JS binding function
JSC::JSObject* createSecretsObject(JSC::VM& vm, JSC::JSGlobalObject* globalObject);
} // namespace Bun

466
src/bun.js/bindings/SecretsDarwin.cpp Normal file
View File

@@ -0,0 +1,466 @@
#include "root.h"
#if OS(DARWIN)
#include "Secrets.h"
#include <dlfcn.h>
#include <Security/Security.h>
#include <wtf/text/WTFString.h>
#include <wtf/Vector.h>
#include <wtf/NeverDestroyed.h>
#include <cstring>
namespace Bun {
namespace Secrets {
using namespace WTF;
class SecurityFramework {
public:
void* handle;
void* cf_handle;
// Security framework constants
CFStringRef kSecClass;
CFStringRef kSecClassGenericPassword;
CFStringRef kSecAttrService;
CFStringRef kSecAttrAccount;
CFStringRef kSecValueData;
CFStringRef kSecReturnData;
CFStringRef kSecAttrAccess;
CFBooleanRef kCFBooleanTrue;
CFAllocatorRef kCFAllocatorDefault;
// Core Foundation function pointers
void (*CFRelease)(CFTypeRef cf);
CFStringRef (*CFStringCreateWithCString)(CFAllocatorRef alloc, const char* cStr, CFStringEncoding encoding);
CFDataRef (*CFDataCreate)(CFAllocatorRef allocator, const UInt8* bytes, CFIndex length);
const UInt8* (*CFDataGetBytePtr)(CFDataRef theData);
CFIndex (*CFDataGetLength)(CFDataRef theData);
CFMutableDictionaryRef (*CFDictionaryCreateMutable)(CFAllocatorRef allocator, CFIndex capacity,
const CFDictionaryKeyCallBacks* keyCallBacks,
const CFDictionaryValueCallBacks* valueCallBacks);
void (*CFDictionaryAddValue)(CFMutableDictionaryRef theDict, const void* key, const void* value);
CFDictionaryKeyCallBacks* kCFTypeDictionaryKeyCallBacks;
CFDictionaryValueCallBacks* kCFTypeDictionaryValueCallBacks;
// Security framework function pointers
OSStatus (*SecItemAdd)(CFDictionaryRef attributes, CFTypeRef* result);
OSStatus (*SecItemCopyMatching)(CFDictionaryRef query, CFTypeRef* result);
OSStatus (*SecItemUpdate)(CFDictionaryRef query, CFDictionaryRef attributesToUpdate);
OSStatus (*SecItemDelete)(CFDictionaryRef query);
CFStringRef (*SecCopyErrorMessageString)(OSStatus status, void* reserved);
OSStatus (*SecAccessCreate)(CFStringRef descriptor, CFArrayRef trustedList, SecAccessRef* accessRef);
Boolean (*CFStringGetCString)(CFStringRef theString, char* buffer, CFIndex bufferSize, CFStringEncoding encoding);
const char* (*CFStringGetCStringPtr)(CFStringRef theString, CFStringEncoding encoding);
CFIndex (*CFStringGetLength)(CFStringRef theString);
CFIndex (*CFStringGetMaximumSizeForEncoding)(CFIndex length, CFStringEncoding encoding);
SecurityFramework()
: handle(nullptr)
, cf_handle(nullptr)
{
}
bool load()
{
if (handle && cf_handle) return true;
cf_handle = dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", RTLD_LAZY | RTLD_LOCAL);
if (!cf_handle) {
return false;
}
handle = dlopen("/System/Library/Frameworks/Security.framework/Security", RTLD_LAZY | RTLD_LOCAL);
if (!handle) {
return false;
}
if (!load_constants() || !load_functions()) {
return false;
}
return true;
}
private:
bool load_constants()
{
void* ptr = dlsym(handle, "kSecClass");
if (!ptr) return false;
kSecClass = *(CFStringRef*)ptr;
ptr = dlsym(handle, "kSecClassGenericPassword");
if (!ptr) return false;
kSecClassGenericPassword = *(CFStringRef*)ptr;
ptr = dlsym(handle, "kSecAttrService");
if (!ptr) return false;
kSecAttrService = *(CFStringRef*)ptr;
ptr = dlsym(handle, "kSecAttrAccount");
if (!ptr) return false;
kSecAttrAccount = *(CFStringRef*)ptr;
ptr = dlsym(handle, "kSecValueData");
if (!ptr) return false;
kSecValueData = *(CFStringRef*)ptr;
ptr = dlsym(handle, "kSecReturnData");
if (!ptr) return false;
kSecReturnData = *(CFStringRef*)ptr;
ptr = dlsym(handle, "kSecAttrAccess");
if (!ptr) return false;
kSecAttrAccess = *(CFStringRef*)ptr;
ptr = dlsym(cf_handle, "kCFBooleanTrue");
if (!ptr) return false;
kCFBooleanTrue = *(CFBooleanRef*)ptr;
ptr = dlsym(cf_handle, "kCFAllocatorDefault");
if (!ptr) return false;
kCFAllocatorDefault = *(CFAllocatorRef*)ptr;
ptr = dlsym(cf_handle, "kCFTypeDictionaryKeyCallBacks");
if (!ptr) return false;
kCFTypeDictionaryKeyCallBacks = (CFDictionaryKeyCallBacks*)ptr;
ptr = dlsym(cf_handle, "kCFTypeDictionaryValueCallBacks");
if (!ptr) return false;
kCFTypeDictionaryValueCallBacks = (CFDictionaryValueCallBacks*)ptr;
return true;
}
bool load_functions()
{
CFRelease = (void (*)(CFTypeRef))dlsym(cf_handle, "CFRelease");
CFStringCreateWithCString = (CFStringRef(*)(CFAllocatorRef, const char*, CFStringEncoding))dlsym(cf_handle, "CFStringCreateWithCString");
CFDataCreate = (CFDataRef(*)(CFAllocatorRef, const UInt8*, CFIndex))dlsym(cf_handle, "CFDataCreate");
CFDataGetBytePtr = (const UInt8* (*)(CFDataRef))dlsym(cf_handle, "CFDataGetBytePtr");
CFDataGetLength = (CFIndex(*)(CFDataRef))dlsym(cf_handle, "CFDataGetLength");
CFDictionaryCreateMutable = (CFMutableDictionaryRef(*)(CFAllocatorRef, CFIndex, const CFDictionaryKeyCallBacks*, const CFDictionaryValueCallBacks*))dlsym(cf_handle, "CFDictionaryCreateMutable");
CFDictionaryAddValue = (void (*)(CFMutableDictionaryRef, const void*, const void*))dlsym(cf_handle, "CFDictionaryAddValue");
CFStringGetCString = (Boolean(*)(CFStringRef, char*, CFIndex, CFStringEncoding))dlsym(cf_handle, "CFStringGetCString");
CFStringGetCStringPtr = (const char* (*)(CFStringRef, CFStringEncoding))dlsym(cf_handle, "CFStringGetCStringPtr");
CFStringGetLength = (CFIndex(*)(CFStringRef))dlsym(cf_handle, "CFStringGetLength");
CFStringGetMaximumSizeForEncoding = (CFIndex(*)(CFIndex, CFStringEncoding))dlsym(cf_handle, "CFStringGetMaximumSizeForEncoding");
SecItemAdd = (OSStatus(*)(CFDictionaryRef, CFTypeRef*))dlsym(handle, "SecItemAdd");
SecItemCopyMatching = (OSStatus(*)(CFDictionaryRef, CFTypeRef*))dlsym(handle, "SecItemCopyMatching");
SecItemUpdate = (OSStatus(*)(CFDictionaryRef, CFDictionaryRef))dlsym(handle, "SecItemUpdate");
SecItemDelete = (OSStatus(*)(CFDictionaryRef))dlsym(handle, "SecItemDelete");
SecCopyErrorMessageString = (CFStringRef(*)(OSStatus, void*))dlsym(handle, "SecCopyErrorMessageString");
SecAccessCreate = (OSStatus(*)(CFStringRef, CFArrayRef, SecAccessRef*))dlsym(handle, "SecAccessCreate");
return CFRelease && CFStringCreateWithCString && CFDataCreate && CFDataGetBytePtr && CFDataGetLength && CFDictionaryCreateMutable && CFDictionaryAddValue && SecItemAdd && SecItemCopyMatching && SecItemUpdate && SecItemDelete && SecCopyErrorMessageString && SecAccessCreate && CFStringGetCString && CFStringGetCStringPtr && CFStringGetLength && CFStringGetMaximumSizeForEncoding;
}
};
static SecurityFramework* securityFramework()
{
static LazyNeverDestroyed<SecurityFramework> framework;
static std::once_flag onceFlag;
std::call_once(onceFlag, [&] {
framework.construct();
if (!framework->load()) {
// Framework failed to load, but object is still constructed
}
});
return framework->handle ? &framework.get() : nullptr;
}
class ScopedCFRef {
public:
explicit ScopedCFRef(CFTypeRef ref)
: _ref(ref)
{
}
~ScopedCFRef()
{
if (_ref && securityFramework()) {
securityFramework()->CFRelease(_ref);
}
}
ScopedCFRef(ScopedCFRef&& other) noexcept
: _ref(other._ref)
{
other._ref = nullptr;
}
ScopedCFRef(const ScopedCFRef&) = delete;
ScopedCFRef& operator=(const ScopedCFRef&) = delete;
CFTypeRef get() const { return _ref; }
operator bool() const { return _ref != nullptr; }
private:
CFTypeRef _ref;
};
static String CFStringToWTFString(CFStringRef cfstring)
{
auto* framework = securityFramework();
if (!framework) return String();
const char* ccstr = framework->CFStringGetCStringPtr(cfstring, kCFStringEncodingUTF8);
if (ccstr != nullptr) {
return String::fromUTF8(ccstr);
}
auto utf16Pairs = framework->CFStringGetLength(cfstring);
auto maxUtf8Bytes = framework->CFStringGetMaximumSizeForEncoding(utf16Pairs, kCFStringEncodingUTF8);
Vector<char> cstr;
cstr.grow(maxUtf8Bytes + 1);
auto result = framework->CFStringGetCString(cfstring, cstr.begin(), cstr.size(), kCFStringEncodingUTF8);
if (result) {
// CFStringGetCString null-terminates the string, so we can use strlen
// to get the actual length without trailing null bytes
size_t actualLength = strlen(cstr.begin());
return String::fromUTF8(std::span<const char>(cstr.begin(), actualLength));
}
return String();
}
static String errorStatusToString(OSStatus status)
{
auto* framework = securityFramework();
if (!framework) return "Security framework not loaded"_s;
CFStringRef errorMessage = framework->SecCopyErrorMessageString(status, NULL);
String errorString;
if (errorMessage) {
errorString = CFStringToWTFString(errorMessage);
framework->CFRelease(errorMessage);
}
return errorString;
}
static void updateError(Error& err, OSStatus status)
{
if (status == errSecSuccess) {
err = Error {};
return;
}
err.message = errorStatusToString(status);
err.code = status;
switch (status) {
case errSecItemNotFound:
err.type = ErrorType::NotFound;
break;
case errSecUserCanceled:
case errSecAuthFailed:
case errSecInteractionRequired:
case errSecInteractionNotAllowed:
err.type = ErrorType::AccessDenied;
break;
case errSecNotAvailable:
case errSecReadOnlyAttr:
err.type = ErrorType::AccessDenied;
// Provide more helpful message for common CI permission issues
if (err.message.isEmpty() || err.message.contains("Write permissions error")) {
err.message = "Keychain access denied. In CI environments, use {allowUnrestrictedAccess: true} option."_s;
}
break;
default:
err.type = ErrorType::PlatformError;
}
}
static ScopedCFRef createQuery(const CString& service, const CString& name)
{
auto* framework = securityFramework();
if (!framework) return ScopedCFRef(nullptr);
ScopedCFRef cfServiceName(framework->CFStringCreateWithCString(
framework->kCFAllocatorDefault, service.data(), kCFStringEncodingUTF8));
ScopedCFRef cfUser(framework->CFStringCreateWithCString(
framework->kCFAllocatorDefault, name.data(), kCFStringEncodingUTF8));
if (!cfServiceName || !cfUser) return ScopedCFRef(nullptr);
CFMutableDictionaryRef query = framework->CFDictionaryCreateMutable(
framework->kCFAllocatorDefault, 0,
framework->kCFTypeDictionaryKeyCallBacks,
framework->kCFTypeDictionaryValueCallBacks);
if (!query) return ScopedCFRef(nullptr);
framework->CFDictionaryAddValue(query, framework->kSecClass, framework->kSecClassGenericPassword);
framework->CFDictionaryAddValue(query, framework->kSecAttrAccount, cfUser.get());
framework->CFDictionaryAddValue(query, framework->kSecAttrService, cfServiceName.get());
return ScopedCFRef(query);
}
Error setPassword(const CString& service, const CString& name, CString&& password, bool allowUnrestrictedAccess)
{
Error err;
auto* framework = securityFramework();
if (!framework) {
err.type = ErrorType::PlatformError;
err.message = "Security framework not available"_s;
return err;
}
// Empty string means delete - call deletePassword instead
if (password.length() == 0) {
deletePassword(service, name, err);
// Convert delete result to setPassword semantics
// Delete errors (like NotFound) should not be propagated for empty string sets
if (err.type == ErrorType::NotFound) {
err = Error {}; // Clear the error - deleting non-existent is not an error for set("")
}
return err;
}
ScopedCFRef cfPassword(framework->CFDataCreate(
framework->kCFAllocatorDefault,
reinterpret_cast<const UInt8*>(password.data()),
password.length()));
ScopedCFRef query = createQuery(service, name);
if (!query || !cfPassword) {
err.type = ErrorType::PlatformError;
err.message = "Failed to create query or password data"_s;
return err;
}
framework->CFDictionaryAddValue((CFMutableDictionaryRef)query.get(),
framework->kSecValueData, cfPassword.get());
// For headless CI environments (like MacStadium), optionally create an access object
// that allows all applications to access this keychain item without user interaction
SecAccessRef accessRef = nullptr;
if (allowUnrestrictedAccess) {
ScopedCFRef accessDescription(framework->CFStringCreateWithCString(
framework->kCFAllocatorDefault, "Bun secrets access", kCFStringEncodingUTF8));
if (accessDescription) {
OSStatus accessStatus = framework->SecAccessCreate(
(CFStringRef)accessDescription.get(),
nullptr, // trustedList - nullptr means all applications have access
&accessRef);
if (accessStatus == errSecSuccess && accessRef) {
framework->CFDictionaryAddValue((CFMutableDictionaryRef)query.get(),
framework->kSecAttrAccess, accessRef);
} else {
// If access creation failed, that's not necessarily a fatal error
// but we should continue without the access control
accessRef = nullptr;
}
}
}
OSStatus status = framework->SecItemAdd((CFDictionaryRef)query.get(), NULL);
// Clean up accessRef if it was created
if (accessRef) {
framework->CFRelease(accessRef);
}
if (status == errSecDuplicateItem) {
// Password exists -- update it
ScopedCFRef attributesToUpdate(framework->CFDictionaryCreateMutable(
framework->kCFAllocatorDefault, 0,
framework->kCFTypeDictionaryKeyCallBacks,
framework->kCFTypeDictionaryValueCallBacks));
if (!attributesToUpdate) {
err.type = ErrorType::PlatformError;
err.message = "Failed to create update dictionary"_s;
return err;
}
framework->CFDictionaryAddValue((CFMutableDictionaryRef)attributesToUpdate.get(),
framework->kSecValueData, cfPassword.get());
status = framework->SecItemUpdate((CFDictionaryRef)query.get(),
(CFDictionaryRef)attributesToUpdate.get());
}
updateError(err, status);
return err;
}
std::optional<WTF::Vector<uint8_t>> getPassword(const CString& service, const CString& name, Error& err)
{
err = Error {};
auto* framework = securityFramework();
if (!framework) {
err.type = ErrorType::PlatformError;
err.message = "Security framework not available"_s;
return std::nullopt;
}
ScopedCFRef query = createQuery(service, name);
if (!query) {
err.type = ErrorType::PlatformError;
err.message = "Failed to create query"_s;
return std::nullopt;
}
framework->CFDictionaryAddValue((CFMutableDictionaryRef)query.get(),
framework->kSecReturnData, framework->kCFBooleanTrue);
CFTypeRef result = nullptr;
OSStatus status = framework->SecItemCopyMatching((CFDictionaryRef)query.get(), &result);
if (status == errSecSuccess && result) {
ScopedCFRef cfPassword(result);
CFDataRef passwordData = (CFDataRef)cfPassword.get();
const UInt8* bytes = framework->CFDataGetBytePtr(passwordData);
CFIndex length = framework->CFDataGetLength(passwordData);
return WTF::Vector<uint8_t>(std::span<const char>(reinterpret_cast<const char*>(bytes), length));
}
updateError(err, status);
return std::nullopt;
}
bool deletePassword(const CString& service, const CString& name, Error& err)
{
err = Error {};
auto* framework = securityFramework();
if (!framework) {
err.type = ErrorType::PlatformError;
err.message = "Security framework not available"_s;
return false;
}
ScopedCFRef query = createQuery(service, name);
if (!query) {
err.type = ErrorType::PlatformError;
err.message = "Failed to create query"_s;
return false;
}
OSStatus status = framework->SecItemDelete((CFDictionaryRef)query.get());
updateError(err, status);
if (status == errSecSuccess) {
return true;
} else if (status == errSecItemNotFound) {
return false;
}
return false;
}
} // namespace Secrets
} // namespace Bun
#endif // OS(DARWIN)

403
src/bun.js/bindings/SecretsLinux.cpp Normal file
View File

@@ -0,0 +1,403 @@
#include "root.h"
#if OS(LINUX)
#include "Secrets.h"
#include <dlfcn.h>
#include <wtf/text/WTFString.h>
#include <wtf/NeverDestroyed.h>
namespace Bun {
namespace Secrets {
using namespace WTF;
// Minimal GLib type definitions to avoid linking against GLib
typedef struct _GError GError;
typedef struct _GHashTable GHashTable;
typedef struct _GList GList;
typedef struct _SecretSchema SecretSchema;
typedef struct _SecretService SecretService;
typedef struct _SecretValue SecretValue;
typedef struct _SecretItem SecretItem;
typedef int gboolean;
typedef char gchar;
typedef void* gpointer;
typedef unsigned int guint;
// GLib constants
#define G_FALSE 0
#define G_TRUE 1
// Secret schema types
typedef enum {
SECRET_SCHEMA_NONE = 0,
SECRET_SCHEMA_DONT_MATCH_NAME = 1 << 1
} SecretSchemaFlags;
typedef enum {
SECRET_SCHEMA_ATTRIBUTE_STRING = 0,
SECRET_SCHEMA_ATTRIBUTE_INTEGER = 1
} SecretSchemaAttributeType;
typedef struct {
const gchar* name;
SecretSchemaAttributeType type;
} SecretSchemaAttribute;
struct _SecretSchema {
const gchar* name;
SecretSchemaFlags flags;
SecretSchemaAttribute attributes[32];
};
struct _GError {
guint domain;
int code;
gchar* message;
};
struct _GList {
gpointer data;
GList* next;
GList* prev;
};
// Secret search flags
typedef enum {
SECRET_SEARCH_NONE = 0,
SECRET_SEARCH_ALL = 1 << 1,
SECRET_SEARCH_UNLOCK = 1 << 2,
SECRET_SEARCH_LOAD_SECRETS = 1 << 3
} SecretSearchFlags;
class LibsecretFramework {
public:
void* secret_handle;
void* glib_handle;
void* gobject_handle;
// GLib function pointers
void (*g_error_free)(GError* error);
void (*g_free)(gpointer mem);
GHashTable* (*g_hash_table_new)(void* hash_func, void* key_equal_func);
void (*g_hash_table_destroy)(GHashTable* hash_table);
gpointer (*g_hash_table_lookup)(GHashTable* hash_table, gpointer key);
void (*g_hash_table_insert)(GHashTable* hash_table, gpointer key, gpointer value);
void (*g_list_free)(GList* list);
void (*g_list_free_full)(GList* list, void (*free_func)(gpointer));
guint (*g_str_hash)(gpointer v);
gboolean (*g_str_equal)(gpointer v1, gpointer v2);
// libsecret function pointers
gboolean (*secret_password_store_sync)(const SecretSchema* schema,
const gchar* collection,
const gchar* label,
const gchar* password,
void* cancellable,
GError** error,
...);
gchar* (*secret_password_lookup_sync)(const SecretSchema* schema,
void* cancellable,
GError** error,
...);
gboolean (*secret_password_clear_sync)(const SecretSchema* schema,
void* cancellable,
GError** error,
...);
void (*secret_password_free)(gchar* password);
GList* (*secret_service_search_sync)(SecretService* service,
const SecretSchema* schema,
GHashTable* attributes,
SecretSearchFlags flags,
void* cancellable,
GError** error);
SecretValue* (*secret_item_get_secret)(SecretItem* self);
const gchar* (*secret_value_get_text)(SecretValue* value);
void (*secret_value_unref)(gpointer value);
GHashTable* (*secret_item_get_attributes)(SecretItem* self);
gboolean (*secret_item_load_secret_sync)(SecretItem* self,
void* cancellable,
GError** error);
// Collection name constant
const gchar* SECRET_COLLECTION_DEFAULT;
LibsecretFramework()
: secret_handle(nullptr)
, glib_handle(nullptr)
, gobject_handle(nullptr)
{
}
bool load()
{
if (secret_handle && glib_handle && gobject_handle) return true;
// Load GLib
glib_handle = dlopen("libglib-2.0.so.0", RTLD_LAZY | RTLD_GLOBAL);
if (!glib_handle) {
// Try alternative name
glib_handle = dlopen("libglib-2.0.so", RTLD_LAZY | RTLD_GLOBAL);
if (!glib_handle) return false;
}
// Load GObject (needed for some GLib types)
gobject_handle = dlopen("libgobject-2.0.so.0", RTLD_LAZY | RTLD_GLOBAL);
if (!gobject_handle) {
gobject_handle = dlopen("libgobject-2.0.so", RTLD_LAZY | RTLD_GLOBAL);
if (!gobject_handle) {
dlclose(glib_handle);
glib_handle = nullptr;
return false;
}
}
// Load libsecret
secret_handle = dlopen("libsecret-1.so.0", RTLD_LAZY | RTLD_LOCAL);
if (!secret_handle) {
dlclose(glib_handle);
dlclose(gobject_handle);
glib_handle = nullptr;
gobject_handle = nullptr;
return false;
}
if (!load_functions()) {
dlclose(secret_handle);
dlclose(glib_handle);
dlclose(gobject_handle);
secret_handle = nullptr;
glib_handle = nullptr;
gobject_handle = nullptr;
return false;
}
return true;
}
private:
bool load_functions()
{
// Load GLib functions
g_error_free = (void (*)(GError*))dlsym(glib_handle, "g_error_free");
g_free = (void (*)(gpointer))dlsym(glib_handle, "g_free");
g_hash_table_new = (GHashTable * (*)(void*, void*)) dlsym(glib_handle, "g_hash_table_new");
g_hash_table_destroy = (void (*)(GHashTable*))dlsym(glib_handle, "g_hash_table_destroy");
g_hash_table_lookup = (gpointer(*)(GHashTable*, gpointer))dlsym(glib_handle, "g_hash_table_lookup");
g_hash_table_insert = (void (*)(GHashTable*, gpointer, gpointer))dlsym(glib_handle, "g_hash_table_insert");
g_list_free = (void (*)(GList*))dlsym(glib_handle, "g_list_free");
g_list_free_full = (void (*)(GList*, void (*)(gpointer)))dlsym(glib_handle, "g_list_free_full");
g_str_hash = (guint(*)(gpointer))dlsym(glib_handle, "g_str_hash");
g_str_equal = (gboolean(*)(gpointer, gpointer))dlsym(glib_handle, "g_str_equal");
// Load libsecret functions
secret_password_store_sync = (gboolean(*)(const SecretSchema*, const gchar*, const gchar*, const gchar*, void*, GError**, ...))
dlsym(secret_handle, "secret_password_store_sync");
secret_password_lookup_sync = (gchar * (*)(const SecretSchema*, void*, GError**, ...))
dlsym(secret_handle, "secret_password_lookup_sync");
secret_password_clear_sync = (gboolean(*)(const SecretSchema*, void*, GError**, ...))
dlsym(secret_handle, "secret_password_clear_sync");
secret_password_free = (void (*)(gchar*))dlsym(secret_handle, "secret_password_free");
secret_service_search_sync = (GList * (*)(SecretService*, const SecretSchema*, GHashTable*, SecretSearchFlags, void*, GError**))
dlsym(secret_handle, "secret_service_search_sync");
secret_item_get_secret = (SecretValue * (*)(SecretItem*)) dlsym(secret_handle, "secret_item_get_secret");
secret_value_get_text = (const gchar* (*)(SecretValue*))dlsym(secret_handle, "secret_value_get_text");
secret_value_unref = (void (*)(gpointer))dlsym(secret_handle, "secret_value_unref");
secret_item_get_attributes = (GHashTable * (*)(SecretItem*)) dlsym(secret_handle, "secret_item_get_attributes");
secret_item_load_secret_sync = (gboolean(*)(SecretItem*, void*, GError**))dlsym(secret_handle, "secret_item_load_secret_sync");
// Load constants
void* ptr = dlsym(secret_handle, "SECRET_COLLECTION_DEFAULT");
if (ptr)
SECRET_COLLECTION_DEFAULT = *(const gchar**)ptr;
else
SECRET_COLLECTION_DEFAULT = "default";
return g_error_free && g_free && g_hash_table_new && g_hash_table_destroy && g_hash_table_lookup && g_hash_table_insert && g_list_free && secret_password_store_sync && secret_password_lookup_sync && secret_password_clear_sync && secret_password_free;
}
};
static LibsecretFramework* libsecretFramework()
{
static LazyNeverDestroyed<LibsecretFramework> framework;
static std::once_flag onceFlag;
std::call_once(onceFlag, [&] {
framework.construct();
if (!framework->load()) {
// Framework failed to load, but object is still constructed
}
});
return framework->secret_handle ? &framework.get() : nullptr;
}
// Define our simple schema for Bun secrets
static const SecretSchema* get_bun_schema()
{
static const SecretSchema schema = {
"com.oven-sh.bun.Secret",
SECRET_SCHEMA_NONE,
{ { "service", SECRET_SCHEMA_ATTRIBUTE_STRING },
{ "account", SECRET_SCHEMA_ATTRIBUTE_STRING },
{ nullptr, (SecretSchemaAttributeType)0 } }
};
return &schema;
}
static void updateError(Error& err, GError* gerror)
{
if (!gerror) {
err = Error {};
return;
}
err.message = String::fromUTF8(gerror->message);
err.code = gerror->code;
err.type = ErrorType::PlatformError;
auto* framework = libsecretFramework();
if (framework) {
framework->g_error_free(gerror);
}
}
Error setPassword(const CString& service, const CString& name, CString&& password, bool allowUnrestrictedAccess)
{
Error err;
auto* framework = libsecretFramework();
if (!framework) {
err.type = ErrorType::PlatformError;
err.message = "libsecret not available"_s;
return err;
}
// Empty string means delete - call deletePassword instead
if (password.length() == 0) {
deletePassword(service, name, err);
// Convert delete result to setPassword semantics
// Delete errors (like NotFound) should not be propagated for empty string sets
if (err.type == ErrorType::NotFound) {
err = Error {}; // Clear the error - deleting non-existent is not an error for set("")
}
return err;
}
GError* gerror = nullptr;
// Combine service and name for label
auto label = makeString(String::fromUTF8(service.data()), "/"_s, String::fromUTF8(name.data()));
auto labelUtf8 = label.utf8();
gboolean result = framework->secret_password_store_sync(
get_bun_schema(),
nullptr, // Let libsecret handle collection creation automatically
labelUtf8.data(),
password.data(),
nullptr, // cancellable
&gerror,
"service", service.data(),
"account", name.data(),
nullptr // end of attributes
);
if (!result || gerror) {
updateError(err, gerror);
if (err.message.isEmpty()) {
err.type = ErrorType::PlatformError;
err.message = "Failed to store password"_s;
}
}
return err;
}
std::optional<WTF::Vector<uint8_t>> getPassword(const CString& service, const CString& name, Error& err)
{
err = Error {};
auto* framework = libsecretFramework();
if (!framework) {
err.type = ErrorType::PlatformError;
err.message = "libsecret not available"_s;
return std::nullopt;
}
GError* gerror = nullptr;
gchar* raw_password = framework->secret_password_lookup_sync(
get_bun_schema(),
nullptr, // cancellable
&gerror,
"service", service.data(),
"account", name.data(),
nullptr // end of attributes
);
if (gerror) {
updateError(err, gerror);
return std::nullopt;
}
if (!raw_password) {
err.type = ErrorType::NotFound;
return std::nullopt;
}
// Convert to Vector for thread safety
size_t length = strlen(raw_password);
WTF::Vector<uint8_t> result;
result.append(std::span<const uint8_t>(reinterpret_cast<const uint8_t*>(raw_password), length));
// Clear the password before freeing
memset(raw_password, 0, length);
framework->secret_password_free(raw_password);
return result;
}
bool deletePassword(const CString& service, const CString& name, Error& err)
{
err = Error {};
auto* framework = libsecretFramework();
if (!framework) {
err.type = ErrorType::PlatformError;
err.message = "libsecret not available"_s;
return false;
}
GError* gerror = nullptr;
gboolean result = framework->secret_password_clear_sync(
get_bun_schema(),
nullptr, // cancellable
&gerror,
"service", service.data(),
"account", name.data(),
nullptr // end of attributes
);
if (gerror) {
updateError(err, gerror);
return false;
}
// libsecret returns TRUE if items were deleted, FALSE if no items found
if (!result) {
err.type = ErrorType::NotFound;
return false;
}
return true;
}
} // namespace Secrets
} // namespace Bun
#endif // OS(LINUX)

251
src/bun.js/bindings/SecretsWindows.cpp Normal file
View File

@@ -0,0 +1,251 @@
#include "root.h"
#if OS(WINDOWS)
#include "Secrets.h"
#include <wtf/text/WTFString.h>
#include <wtf/NeverDestroyed.h>
#include <windows.h>
#include <wincred.h>
namespace Bun {
namespace Secrets {
using namespace WTF;
class CredentialFramework {
public:
void* handle;
// Function pointers
BOOL(WINAPI* CredWriteW)(PCREDENTIALW Credential, DWORD Flags);
BOOL(WINAPI* CredReadW)(LPCWSTR TargetName, DWORD Type, DWORD Flags, PCREDENTIALW* Credential);
BOOL(WINAPI* CredDeleteW)(LPCWSTR TargetName, DWORD Type, DWORD Flags);
VOID(WINAPI* CredFree)(PVOID Buffer);
CredentialFramework()
: handle(nullptr)
{
}
bool load()
{
if (handle) return true;
// Load advapi32.dll which contains the Credential Manager API
handle = LoadLibraryW(L"advapi32.dll");
if (!handle) {
return false;
}
CredWriteW = (BOOL(WINAPI*)(PCREDENTIALW, DWORD))GetProcAddress((HMODULE)handle, "CredWriteW");
CredReadW = (BOOL(WINAPI*)(LPCWSTR, DWORD, DWORD, PCREDENTIALW*))GetProcAddress((HMODULE)handle, "CredReadW");
CredDeleteW = (BOOL(WINAPI*)(LPCWSTR, DWORD, DWORD))GetProcAddress((HMODULE)handle, "CredDeleteW");
CredFree = (VOID(WINAPI*)(PVOID))GetProcAddress((HMODULE)handle, "CredFree");
return CredWriteW && CredReadW && CredDeleteW && CredFree;
}
};
static CredentialFramework* credentialFramework()
{
static LazyNeverDestroyed<CredentialFramework> framework;
static std::once_flag onceFlag;
std::call_once(onceFlag, [&] {
framework.construct();
if (!framework->load()) {
// Framework failed to load, but object is still constructed
}
});
return framework->handle ? &framework.get() : nullptr;
}
// Convert CString to Windows wide string
static std::vector<wchar_t> cstringToWideChar(const CString& str)
{
if (!str.data()) {
return std::vector<wchar_t>(1, L'\0');
}
int wideLength = MultiByteToWideChar(CP_UTF8, 0, str.data(), -1, nullptr, 0);
if (wideLength == 0) {
return std::vector<wchar_t>(1, L'\0');
}
std::vector<wchar_t> result(wideLength);
MultiByteToWideChar(CP_UTF8, 0, str.data(), -1, result.data(), wideLength);
return result;
}
// Convert Windows wide string to WTF::String
static String wideCharToString(const wchar_t* wide)
{
if (!wide) {
return String();
}
int utf8Length = WideCharToMultiByte(CP_UTF8, 0, wide, -1, nullptr, 0, nullptr, nullptr);
if (utf8Length == 0) {
return String();
}
std::vector<char> buffer(utf8Length);
WideCharToMultiByte(CP_UTF8, 0, wide, -1, buffer.data(), utf8Length, nullptr, nullptr);
return String::fromUTF8(buffer.data());
}
static String getWindowsErrorMessage(DWORD errorCode)
{
wchar_t* errorBuffer = nullptr;
FormatMessageW(
FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
nullptr,
errorCode,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPWSTR)&errorBuffer,
0,
nullptr);
String errorMessage;
if (errorBuffer) {
errorMessage = wideCharToString(errorBuffer);
LocalFree(errorBuffer);
}
return errorMessage;
}
static void updateError(Error& err, DWORD errorCode)
{
if (errorCode == ERROR_SUCCESS) {
err = Error {};
return;
}
err.message = getWindowsErrorMessage(errorCode);
err.code = errorCode;
if (errorCode == ERROR_NOT_FOUND) {
err.type = ErrorType::NotFound;
} else if (errorCode == ERROR_ACCESS_DENIED) {
err.type = ErrorType::AccessDenied;
} else {
err.type = ErrorType::PlatformError;
}
}
Error setPassword(const CString& service, const CString& name, CString&& password, bool allowUnrestrictedAccess)
{
Error err;
auto* framework = credentialFramework();
if (!framework) {
err.type = ErrorType::PlatformError;
err.message = "Credential Manager not available"_s;
return err;
}
// Empty string means delete - call deletePassword instead
if (password.length() == 0) {
deletePassword(service, name, err);
// Convert delete result to setPassword semantics
// Delete errors (like NotFound) should not be propagated for empty string sets
if (err.type == ErrorType::NotFound) {
err = Error {}; // Clear the error - deleting non-existent is not an error for set("")
}
return err;
}
// Create target name as "service/name"
String targetName = makeString(String::fromUTF8(service.data()), "/"_s, String::fromUTF8(name.data()));
auto targetNameUtf8 = targetName.utf8();
auto targetNameWide = cstringToWideChar(targetNameUtf8);
auto nameNameWide = cstringToWideChar(name);
CREDENTIALW cred = { 0 };
cred.Type = CRED_TYPE_GENERIC;
cred.TargetName = targetNameWide.data();
cred.UserName = nameNameWide.data();
cred.CredentialBlobSize = password.length();
cred.CredentialBlob = (LPBYTE)password.data();
cred.Persist = CRED_PERSIST_ENTERPRISE;
if (!framework->CredWriteW(&cred, 0)) {
updateError(err, GetLastError());
}
// Best-effort scrub of plaintext from memory.
if (password.length())
SecureZeroMemory(const_cast<char*>(password.data()), password.length());
return err;
}
std::optional<WTF::Vector<uint8_t>> getPassword(const CString& service, const CString& name, Error& err)
{
err = Error {};
auto* framework = credentialFramework();
if (!framework) {
err.type = ErrorType::PlatformError;
err.message = "Credential Manager not available"_s;
return std::nullopt;
}
String targetName = makeString(String::fromUTF8(service.data()), "/"_s, String::fromUTF8(name.data()));
auto targetNameUtf8 = targetName.utf8();
auto targetNameWide = cstringToWideChar(targetNameUtf8);
PCREDENTIALW cred = nullptr;
if (!framework->CredReadW(targetNameWide.data(), CRED_TYPE_GENERIC, 0, &cred)) {
DWORD errorCode = GetLastError();
updateError(err, errorCode);
return std::nullopt;
}
// Convert credential blob to CString for thread safety
std::optional<WTF::Vector<uint8_t>> result;
if (cred->CredentialBlob && cred->CredentialBlobSize > 0) {
result = WTF::Vector<uint8_t>(std::span<const char>(
reinterpret_cast<const char*>(cred->CredentialBlob),
cred->CredentialBlobSize));
}
framework->CredFree(cred);
return result;
}
bool deletePassword(const CString& service, const CString& name, Error& err)
{
err = Error {};
auto* framework = credentialFramework();
if (!framework) {
err.type = ErrorType::PlatformError;
err.message = "Credential Manager not available"_s;
return false;
}
String targetName = makeString(String::fromUTF8(service.data()), "/"_s, String::fromUTF8(name.data()));
auto targetNameUtf8 = targetName.utf8();
auto targetNameWide = cstringToWideChar(targetNameUtf8);
if (!framework->CredDeleteW(targetNameWide.data(), CRED_TYPE_GENERIC, 0)) {
DWORD errorCode = GetLastError();
updateError(err, errorCode);
if (errorCode == ERROR_NOT_FOUND) {
return false;
}
return false;
}
return true;
}
} // namespace Secrets
} // namespace Bun
#endif // OS(WINDOWS)

180
test/js/bun/secrets-ci-setup.md Normal file
View File

@@ -0,0 +1,180 @@
# Secrets API CI Setup Guide
This guide explains how to run the `Bun.secrets` API tests in CI environments on Linux (Ubuntu/Debian).
## Overview
The `Bun.secrets` API uses the system keyring to store credentials securely. On Linux, this requires:
- libsecret library for Secret Service API integration
- gnome-keyring daemon for credential storage
- D-Bus session for communication
- Proper keyring initialization
## Automatic CI Setup (Recommended)
The secrets test automatically detects CI environments and sets up everything needed:
```bash
# Just run the test normally - setup happens automatically!
bun test test/js/bun/secrets.test.ts
```
The test will:
1. **Detect CI environment** - Checks if running on Linux + Ubuntu/Debian in CI
2. **Install packages** - Automatically installs required packages if missing
3. **Setup keyring** - Creates keyring directory and configuration
4. **Initialize services** - Starts D-Bus and gnome-keyring-daemon
5. **Run tests** - Executes all secrets API tests
## Manual CI Setup
If automatic setup doesn't work, you can pre-install packages:
```bash
# Install packages in CI setup step
apt-get update && apt-get install -y libsecret-1-dev gnome-keyring dbus-x11
# Run tests normally
bun test test/js/bun/secrets.test.ts
```
## Required Packages
On Ubuntu/Debian systems, install these packages:
```bash
apt-get install -y \
libsecret-1-dev \ # libsecret development headers
gnome-keyring \ # GNOME Keyring daemon
dbus-x11 # D-Bus X11 integration
```
## Environment Variables
The test automatically detects CI environments and sets up the keyring. You can force setup with:
```bash
FORCE_KEYRING_SETUP=1 bun test test/js/bun/secrets.test.ts
```
## How It Works
1. **Detection**: Tests check if running on Linux + Ubuntu/Debian in CI
2. **Packages**: Verify libsecret is available
3. **Directory**: Create `~/.local/share/keyrings/` directory
4. **Keyring**: Create `login.keyring` file with empty password setup
5. **Daemon**: Start `gnome-keyring-daemon` with login keyring
6. **D-Bus**: Ensure D-Bus session is available for communication
7. **Tests**: Run secrets tests which use the Secret Service API
## Platform Support
-**Linux (Ubuntu/Debian)**: Full support with automatic CI setup
-**Linux (Other)**: Manual setup required (see above commands)
- ⚠️ **macOS**: Uses macOS Keychain (different implementation)
- ⚠️ **Windows**: Uses Windows Credential Manager (different implementation)
## API Behavior
### Empty String as Delete
The `Bun.secrets.set()` method now supports deleting credentials by passing an empty string:
```ts
// These are equivalent:
await Bun.secrets.delete({ service: "myapp", name: "token" });
await Bun.secrets.set({ service: "myapp", name: "token", value: "" });
```
**Benefits:**
- **Windows compatibility** - Required by Windows Credential Manager API
- **Simplified workflows** - Single method for set/delete operations
- **Batch operations** - Easy to clear multiple credentials in loops
**Behavior:**
- Setting an empty string deletes the credential if it exists
- No error if the credential doesn't exist (consistent with `delete()`)
- Returns normally (no special return value)
### Unrestricted Access for CI Environments
The `allowUnrestrictedAccess` parameter allows credentials to be stored without user interaction on macOS:
```ts
// For CI environments where user interaction is not possible
await Bun.secrets.set({
service: "ci-deployment",
name: "api-key",
value: process.env.API_KEY,
allowUnrestrictedAccess: true // Bypass macOS keychain user prompts
});
```
**Security Considerations:**
- ⚠️ **Use with caution** - When `allowUnrestrictedAccess: true`, any application can read the credential
-**Recommended for CI** - Useful in headless CI environments like MacStadium or GitHub Actions
- 🔒 **Default is secure** - When `false` (default), only your application can access the credential
- 🖥️ **macOS only** - This parameter is ignored on Linux and Windows platforms
**When to Use:**
- ✅ CI/CD pipelines that need to store credentials without user interaction
- ✅ Automated testing environments
- ✅ Headless server deployments on macOS
- ❌ Production applications with sensitive user data
- ❌ Desktop applications with normal user interaction
## Troubleshooting
### "libsecret not available"
- Install `libsecret-1-dev` package
- Verify with: `pkg-config --exists libsecret-1`
### "Cannot autolaunch D-Bus without X11 $DISPLAY"
- Run tests inside `dbus-run-session`
- Set `DISPLAY=:99` environment variable
### "Object does not exist at path '/org/freedesktop/secrets/collection/login'"
- Create the login keyring file as shown above
- Start gnome-keyring-daemon with `--login` flag
### "Cannot create an item in a locked collection"
- Initialize keyring with empty password: `echo -n "" | gnome-keyring-daemon --unlock`
- Ensure keyring file has `lock-on-idle=false`
## CI Configuration Examples
### GitHub Actions
```yaml
- name: Run secrets tests (auto-setup)
run: bun test test/js/bun/secrets.test.ts
```
Or with explicit package installation:
```yaml
- name: Install keyring packages
run: |
sudo apt-get update
sudo apt-get install -y libsecret-1-dev gnome-keyring dbus-x11
- name: Run secrets tests
run: bun test test/js/bun/secrets.test.ts
```
### BuildKite
```yaml
steps:
- command: bun test test/js/bun/secrets.test.ts
label: "🔐 Secrets API Tests"
```
### Docker
```dockerfile
# Optional: pre-install packages for faster test startup
RUN apt-get update && apt-get install -y \
libsecret-1-dev \
gnome-keyring \
dbus-x11
# Run test normally - setup is automatic
RUN bun test test/js/bun/secrets.test.ts
```

97
test/js/bun/secrets-error-codes.test.ts Normal file
View File

@@ -0,0 +1,97 @@
import { describe, expect, test } from "bun:test";
import { isCI, isMacOS, isWindows } from "harness";
describe.todoIf(isCI && !isWindows)("Bun.secrets error codes", () => {
test("non-existent secret returns null without error", async () => {
const result = await Bun.secrets.get({
service: "non-existent-service-" + Date.now(),
name: "non-existent-name",
});
expect(result).toBeNull();
});
test("delete non-existent returns false without error", async () => {
const result = await Bun.secrets.delete({
service: "non-existent-service-" + Date.now(),
name: "non-existent-name",
});
expect(result).toBe(false);
});
test("invalid arguments throw with proper error codes", async () => {
// Missing service
try {
// @ts-expect-error
await Bun.secrets.get({ name: "test" });
expect.unreachable();
} catch (error: any) {
expect(error.code).toBe("ERR_INVALID_ARG_TYPE");
expect(error.message).toContain("Expected service and name to be strings");
}
// Empty service
try {
await Bun.secrets.get({ service: "", name: "test" });
expect.unreachable();
} catch (error: any) {
expect(error.code).toBe("ERR_INVALID_ARG_TYPE");
expect(error.message).toContain("Expected service and name to not be empty");
}
// Missing value in set
try {
// @ts-expect-error
await Bun.secrets.set({ service: "test", name: "test" });
expect.unreachable();
} catch (error: any) {
expect(error.code).toBe("ERR_INVALID_ARG_TYPE");
expect(error.message).toContain("Expected 'value' to be a string");
}
});
test("successful operations work correctly", async () => {
const service = "bun-test-codes-" + Date.now();
const name = "test-name";
const value = "test-password";
// Set a secret
await Bun.secrets.set({ service, name, value, allowUnrestrictedAccess: isMacOS });
// Get it back
const retrieved = await Bun.secrets.get({ service, name });
expect(retrieved).toBe(value);
// Delete it
const deleted = await Bun.secrets.delete({ service, name });
expect(deleted).toBe(true);
// Verify it's gone
const afterDelete = await Bun.secrets.get({ service, name });
expect(afterDelete).toBeNull();
});
test("error messages have no null bytes", async () => {
// Test various error conditions
const errorTests = [
{ service: "", name: "test" },
{ service: "test", name: "" },
];
for (const testCase of errorTests) {
try {
await Bun.secrets.get(testCase);
expect.unreachable();
} catch (error: any) {
// Check for null bytes
expect(error.message).toBeDefined();
expect(error.message.includes("\0")).toBe(false);
// Check error has a code
expect(error.code).toBeDefined();
expect(typeof error.code).toBe("string");
}
}
});
});

301
test/js/bun/secrets.test.ts Normal file
View File

@@ -0,0 +1,301 @@
import { expect, test } from "bun:test";
import { isCI, isMacOS, isWindows } from "harness";
// Helper to determine if we should use unrestricted keychain access
// This is needed for macOS CI environments where user interaction is not available
function shouldUseUnrestrictedAccess(): boolean {
return isMacOS && isCI;
}
// Setup keyring environment for Linux CI
test.todoIf(isCI && !isWindows)("Bun.secrets API", async () => {
const testService = "bun-test-service-" + Date.now();
const testUser = "test-name-" + Math.random();
const testPassword = "super-secret-value-123!@#";
const updatedPassword = "new-value-456$%^";
// Clean up any existing value first
await Bun.secrets.delete({ service: testService, name: testUser });
// Test 1: GET non-existent credential should return null
{
const result = await Bun.secrets.get({ service: testService, name: testUser });
expect(result).toBeNull();
}
// Test 2: DELETE non-existent credential should return false
{
const result = await Bun.secrets.delete({ service: testService, name: testUser });
expect(result).toBe(false);
}
// Test 3: SET new credential
{
await Bun.secrets.set({
service: testService,
name: testUser,
value: testPassword,
...(shouldUseUnrestrictedAccess() && { allowUnrestrictedAccess: true }),
});
const retrieved = await Bun.secrets.get({ service: testService, name: testUser });
expect(retrieved).toBe(testPassword);
}
// Test 4: SET existing credential (should replace)
{
await Bun.secrets.set({
service: testService,
name: testUser,
value: updatedPassword,
...(shouldUseUnrestrictedAccess() && { allowUnrestrictedAccess: true }),
});
const retrieved = await Bun.secrets.get({ service: testService, name: testUser });
expect(retrieved).toBe(updatedPassword);
expect(retrieved).not.toBe(testPassword);
}
// Test 5: DELETE existing credential should return true
{
const result = await Bun.secrets.delete({ service: testService, name: testUser });
expect(result).toBe(true);
}
// Test 6: GET after DELETE should return null
{
const result = await Bun.secrets.get({ service: testService, name: testUser });
expect(result).toBeNull();
}
// Test 7: DELETE after DELETE should return false
{
const result = await Bun.secrets.delete({ service: testService, name: testUser });
expect(result).toBe(false);
}
// Test 8: SET after DELETE should work
{
await Bun.secrets.set({
service: testService,
name: testUser,
value: testPassword,
...(shouldUseUnrestrictedAccess() && { allowUnrestrictedAccess: true }),
});
const retrieved = await Bun.secrets.get({ service: testService, name: testUser });
expect(retrieved).toBe(testPassword);
}
// Test 9: Verify multiple operations work correctly
{
// Set, get, delete, verify cycle
await Bun.secrets.set({
service: testService,
name: testUser,
value: testPassword,
...(shouldUseUnrestrictedAccess() && { allowUnrestrictedAccess: true }),
});
expect(await Bun.secrets.get({ service: testService, name: testUser })).toBe(testPassword);
expect(await Bun.secrets.delete({ service: testService, name: testUser })).toBe(true);
expect(await Bun.secrets.get({ service: testService, name: testUser })).toBeNull();
}
// Test 10: Empty string deletes credential
{
// Set a credential first
await Bun.secrets.set({
service: testService,
name: testUser,
value: testPassword,
...(shouldUseUnrestrictedAccess() && { allowUnrestrictedAccess: true }),
});
expect(await Bun.secrets.get({ service: testService, name: testUser })).toBe(testPassword);
// Empty string should delete it
await Bun.secrets.set({
service: testService,
name: testUser,
value: "",
...(shouldUseUnrestrictedAccess() && { allowUnrestrictedAccess: true }),
});
expect(await Bun.secrets.get({ service: testService, name: testUser })).toBeNull();
// Empty string on non-existent credential should not error
await Bun.secrets.set({
service: testService + "-empty",
name: testUser,
value: "",
...(shouldUseUnrestrictedAccess() && { allowUnrestrictedAccess: true }),
});
expect(await Bun.secrets.get({ service: testService + "-empty", name: testUser })).toBeNull();
}
// Clean up
await Bun.secrets.delete({ service: testService, name: testUser });
});
test.todoIf(isCI && !isWindows)("Bun.secrets error handling", async () => {
// Test invalid arguments
// Test 1: GET with missing options
try {
// @ts-expect-error - testing invalid input
await Bun.secrets.get();
expect.unreachable("Should have thrown");
} catch (error) {
expect(error.message).toContain("secrets.get requires an options object");
}
// Test 2: GET with non-object options
try {
// @ts-expect-error - testing invalid input
await Bun.secrets.get("not an object");
expect.unreachable("Should have thrown");
} catch (error) {
expect(error.message).toContain("Expected options to be an object");
}
// Test 3: GET with missing service
try {
// @ts-expect-error - testing invalid input
await Bun.secrets.get({ name: "test" });
expect.unreachable("Should have thrown");
} catch (error) {
expect(error.message).toContain("Expected service and name to be strings");
}
// Test 4: GET with missing name
try {
// @ts-expect-error - testing invalid input
await Bun.secrets.get({ service: "test" });
expect.unreachable("Should have thrown");
} catch (error) {
expect(error.message).toContain("Expected service and name to be strings");
}
// Test 5: SET with missing value
try {
// @ts-expect-error - testing invalid input
await Bun.secrets.set({ service: "test", name: "test" });
// This should work without error - just needs a value
// But if it does work, the value will be undefined which is an error
} catch (error) {
expect(error.message).toContain("Expected 'value' to be a string");
}
// Test 6: SET with non-string value (not null/undefined)
try {
// @ts-expect-error - testing invalid input
await Bun.secrets.set({ service: "test", name: "test", value: 123 });
expect.unreachable("Should have thrown");
} catch (error) {
expect(error.message).toContain("Expected 'value' to be a string");
}
// Test 7: DELETE with missing options
try {
// @ts-expect-error - testing invalid input
await Bun.secrets.delete();
expect.unreachable("Should have thrown");
} catch (error) {
expect(error.message).toContain("requires an options object");
}
});
test.todoIf(isCI && !isWindows)("Bun.secrets handles empty strings as delete", async () => {
const testService = "bun-test-empty-" + Date.now();
const testUser = "test-name-empty";
// First, set a real credential
await Bun.secrets.set({
service: testService,
name: testUser,
value: "test-password",
...(shouldUseUnrestrictedAccess() && { allowUnrestrictedAccess: true }),
});
let result = await Bun.secrets.get({ service: testService, name: testUser });
expect(result).toBe("test-password");
// Test that empty string deletes the credential
await Bun.secrets.set({
service: testService,
name: testUser,
value: "",
...(shouldUseUnrestrictedAccess() && { allowUnrestrictedAccess: true }),
});
result = await Bun.secrets.get({ service: testService, name: testUser });
expect(result).toBeNull(); // Should be null since credential was deleted
// Test that setting empty string on non-existent credential doesn't error
await Bun.secrets.set({
service: testService + "-nonexistent",
name: testUser,
value: "",
...(shouldUseUnrestrictedAccess() && { allowUnrestrictedAccess: true }),
});
result = await Bun.secrets.get({ service: testService + "-nonexistent", name: testUser });
expect(result).toBeNull();
});
test.todoIf(isCI && !isWindows)("Bun.secrets handles special characters", async () => {
const testService = "bun-test-special-" + Date.now();
const testUser = "name@example.com";
const testPassword = "p@$$w0rd!#$%^&*()_+-=[]{}|;':\",./<>?`~\n\t\r";
await Bun.secrets.set({
service: testService,
name: testUser,
value: testPassword,
...(shouldUseUnrestrictedAccess() && { allowUnrestrictedAccess: true }),
});
const result = await Bun.secrets.get({ service: testService, name: testUser });
expect(result).toBe(testPassword);
// Clean up
await Bun.secrets.delete({ service: testService, name: testUser });
});
test.todoIf(isCI && !isWindows)("Bun.secrets handles unicode", async () => {
const testService = "bun-test-unicode-" + Date.now();
const testUser = "用户";
const testPassword = "密码🔒🔑 emoji and 中文";
await Bun.secrets.set({
service: testService,
name: testUser,
value: testPassword,
...(shouldUseUnrestrictedAccess() && { allowUnrestrictedAccess: true }),
});
const result = await Bun.secrets.get({ service: testService, name: testUser });
expect(result).toBe(testPassword);
// Clean up
await Bun.secrets.delete({ service: testService, name: testUser });
});
test.todoIf(isCI && !isWindows)("Bun.secrets handles concurrent operations", async () => {
const promises: Promise<void>[] = [];
const count = 10;
// Create multiple credentials concurrently
for (let i = 0; i < count; i++) {
const service = `bun-concurrent-${Date.now()}-${i}`;
const name = `name-${i}`;
const value = `value-${i}`;
promises.push(
Bun.secrets
.set({ service, name, value: value })
.then(() => Bun.secrets.get({ service, name }))
.then(retrieved => {
expect(retrieved).toBe(value);
return Bun.secrets.delete({ service, name });
})
.then(deleted => {
expect(deleted).toBe(true);
}),
);
}
await Promise.all(promises);
});