Security
Spotflow CLI is designed with security in mind. CLI does not handle or store user credentials such as passwords or OTPs. Instead, authentication is delegated to Auth0 or Microsoft Entra identity providers and CLI only works with OAuth2 time-limited and narrowly scoped access tokens and refresh tokens that might be cached on local disk in user profile/home directory.
In case of any discovered vulnerabilities or any other security-related concerns/questions, please see https://github.com/spotflow-io/security.
Token protection
Access tokens and refresh tokens that are cached on disk have different level of protection, depending on the operation system used. Tokens are encrypted with user-scoped DPAPI. On Linux and macOS, the tokens are stored in a plain text file because no suitable OS-level data protection API is available.
Code Signing (Windows only)
CLI executable file for Windows (.exe) is code-signed with a certificate issued by GlobalSign:
- Root CA certificate:
GlobalSign Code Signing Root R45
. - Intermediate CA certificate:
GlobalSign GCC R45 CodeSigning CA 2020
.
Details about leaf certificate and signing parameters are as follows:
- Issued to
Spotflow s.r.o.
. - Valid until
2025-02-09
. - Signature algorithm:
SHA256RSA
with 4096-bit RSA key. - Signature is securely timestamped by http://timestamp.acs.microsoft.com/.
- Fingerprints are listed below:
- SHA256
- SHA1
- MD5
53:62:A9:CD:A0:D6:ED:AA:B1:18:FF:16:01:31:93:09:B8:F9:B6:88:B0:65:58:2A:60:3D:9F:11:CF:6F:25:20
28:05:FF:8F:69:C9:1B:34:B1:28:A6:B0:7B:03:D2:B1:BE:D7:CC:9A
D0:AF:1D:C2:0A:B3:28:DE:2A:E9:2B:BE:FA:51:28:B1