Please report security issues privately, not as a public GitHub issue.
Use GitHub's private vulnerability reporting for this repository. You'll get an acknowledgement as soon as possible, and a fix or mitigation will be coordinated before any public disclosure.
tonys talks to your own TonieCloud account, so it necessarily handles
credentials. How it treats them:
- Credentials come from you, never from the binary. Username/password are
read from
--username/--password, then theTONIE_USERNAME/TONIE_PASSWORDenvironment variables (and documented aliases), then an optional~/.config/tonys/config.json. Nothing is hard-coded. - Passwords are never logged or printed. They are sent only to the OpenID
token endpoint over HTTPS. They never appear on stdout, in
--jsonoutput, in error messages, or in status lines. - Tokens are cached with
0600permissions under~/.cache/tonys/token.json(or$XDG_CACHE_HOME/$TONYS_CACHE), written atomically. The access token is refreshed via the OAuth refresh-token grant so credentials are not re-sent on every call. Runtonys auth logoutto clear the cache, or--no-cacheto skip it entirely. - stdout is reserved for data. All secrets and diagnostics go to stderr, so
piping
tonys --json ... | jqcan never leak a token into a log. - External tools (
ffmpeg,yt-dlp) are invoked with explicit argument vectors — never through a shell — and URLs are validated and passed after a--terminator so they cannot be interpreted as options.
- Don't commit
.envrc,.env,config.json,token.json, orloudness.json— they are listed in.gitignorefor this reason. - Treat the token cache like a password; anyone who can read it can act as you until the token expires.
This is a young project; only the latest release receives security fixes.