fix(auth): add dpapi keychain backend for oversized Windows sessions#409
Draft
richard-pipefy wants to merge 1 commit into
Draft
fix(auth): add dpapi keychain backend for oversized Windows sessions#409richard-pipefy wants to merge 1 commit into
richard-pipefy wants to merge 1 commit into
Conversation
On Windows, `pipefy auth login` failed at the session-store step with
WinError 1783 ("The stub received bad data") from CredWrite. The stored
session (access + refresh + id tokens plus metadata, UTF-16 encoded by
keyring) exceeds Windows Credential Manager's CRED_MAX_CREDENTIAL_BLOB_SIZE
(2560 bytes; the exact size varies with token claims), so the default
`auto` backend cannot store it.
Add `PIPEFY_KEYCHAIN_BACKEND=dpapi` (keychain_backend = "dpapi" in TOML):
a DPAPI-encrypted file keyring (keyrings.alt.Windows.EncryptedKeyring),
encrypted at rest and with no blob cap. Read from config.toml by both the
CLI and MCP server, so one per-user entry covers both processes. Opt-in;
selecting dpapi off-Windows raises. The plaintext `file` backend is unchanged.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
On Windows,
pipefy auth loginfails at the session-store step withWinError 1783("The stub received bad data") fromCredWrite. The stored session (access + refresh + id tokens plus metadata, UTF-16 encoded bykeyring) exceeds Windows Credential Manager'sCRED_MAX_CREDENTIAL_BLOB_SIZE(2560 bytes; the exact size varies with token claims), so the defaultautobackend cannot store it.This adds an opt-in
dpapikeychain backend — a DPAPI-encrypted file keyring (keyrings.alt.Windows.EncryptedKeyring) with no blob cap and encrypted at rest. Selected viaPIPEFY_KEYCHAIN_BACKEND=dpapi(orkeychain_backend = "dpapi"inconfig.toml), read by both the CLI and the MCP server, so one per-user entry covers both processes. Selectingdpapioff Windows raises a clear error. The defaultautoand the plaintextfilebackend are unchanged.No new runtime dependency:
keyrings.altis already present, and the DPAPI path uses rawctypesagainstCRYPT32.DLL(nopywin32).Why a new backend instead of
PIPEFY_KEYCHAIN_BACKEND=file?file(PlaintextKeyring) also sidesteps the blob cap and would make the login succeed — the crash is specific to Credential Manager, which onlyautoroutes to. The difference is at-rest encryption, and it's the whole reason this backend exists:filewrites the session — including the long-lived refresh token — to disk in plaintext. Anything that can read the user's config dir (local malware, a synced/backed-up folder, another admin) gets a working credential.autobackend already gives macOS (Keychain) and Linux (Secret Service) users: an encrypted-at-rest store.fileis intended as the "no keychain available" fallback for headless/CI runners, not the recommended path for real user machines.dpapirestores encrypted-at-rest parity on Windows — same one-env-var operational cost asfile, but the token is DPAPI-encrypted and user-scoped.Net: use
fileonly where plaintext-at-rest is explicitly acceptable;dpapiis the right default for real Windows users who hit the blob cap.Testing performed
uv run ruff check packages/auth packages/cli→ All checks passeduv run ruff format --check packages/auth packages/cli→ already formatteduv run pytest packages/auth/tests -q→ 181 passeduv run pytest packages/cli/tests -q -k auth→ 94 passed, 3 skippedEncryptedKeyringinstall (packages/auth/tests/test_storage_backend.py).pipefy auth loginround-trip on Windows withPIPEFY_KEYCHAIN_BACKEND=dpapicompletes and the session reloads (theautobackend fails the same login withWinError 1783).Docs updated
docs/config.md—keychain_backendvaluesdocs/cli/auth.md— env-var row,WinError 1783troubleshooting entryPIPEFY_KEYCHAIN_BACKEND=dpapiCHANGELOG.md— Fixed entry under## [Unreleased]Notes