Mike/pop

Go to file

Paperclip 0684e726bb FRE-681: Fix security review findings (3 HIGH, 3 MEDIUM, 2 LOW)

HIGH fixes:
- Access Token now used as PGP Passphrase: replaced session.AccessToken
  with session.MailPassphrase for all PGP operations
- Session stored encrypted in keyring and file (was plain JSON)
- Added checkAuthenticated() helper with IsAuthenticated() guard

MEDIUM fixes:
- Added MailPassphrase field to Session, collected during login
- Added email validation in LoginInteractive
- Added keyring cleanup on Logout
- Implemented RefreshToken with actual API call

LOW fixes:
- Added mutex to PGPKeyRing for thread safety
- Added ZeroPrivateKeyData() for memory cleanup
- Use net/mail.ParseAddress for proper recipient parsing
- Renamed internal/mail import to internalmail to avoid conflict

2026-04-28 12:40:09 -04:00

.github/workflows

FRE-680: Initial project scaffold with auth & API client

2026-04-26 09:45:10 -04:00

cmd

FRE-681: Fix security review findings (3 HIGH, 3 MEDIUM, 2 LOW)

2026-04-28 12:40:09 -04:00

internal

FRE-681: Fix security review findings (3 HIGH, 3 MEDIUM, 2 LOW)

2026-04-28 12:40:09 -04:00

.gitignore

FRE-680: Initial project scaffold with auth & API client

2026-04-26 09:45:10 -04:00

FRE-683-SECURITY-FIXES.md

Auto-commit 2026-04-27 19:13

2026-04-27 19:13:03 -04:00

go.mod

Auto-commit 2026-04-27 19:13

2026-04-27 19:13:03 -04:00

go.sum

Auto-commit 2026-04-27 19:13

2026-04-27 19:13:03 -04:00

main.go

FRE-680: Initial project scaffold with auth & API client

2026-04-26 09:45:10 -04:00

Makefile

FRE-680: Initial project scaffold with auth & API client

2026-04-26 09:45:10 -04:00

README.md

FRE-680: Initial project scaffold with auth & API client

2026-04-26 09:45:10 -04:00

SECURITY-FINDINGS.md

Resolve FRE-762: FRE-734 recovered as false positive, Security Reviewer run was system-cancelled

2026-04-26 22:47:49 -04:00

README.md

pop

A ProtonMail CLI tool written in Go, similar to gog.

Features

Authentication: Login/logout with 2FA support
Session Management: Secure token storage in ~/.config/pop/
ProtonMail API Client: REST client with rate limiting and error handling
PGP Encryption: Full support for ProtonMail's PGP encryption via gopenpgp v2

Installation

# Build from source
git clone https://github.com/frenocorp/pop.git
cd pop
make build

# Install
make install

Usage

# Initialize login (interactive mode)
pop login

# Login with explicit credentials
pop login --email user@proton.me --password secret

# Check current session
pop session

# Logout
pop logout

Project Structure

pop/
├── cmd/
│   ├── root.go       # CLI root command
│   └── auth.go       # Authentication commands
├── internal/
│   ├── auth/         # Session management
│   │   └── session.go
│   ├── config/       # Configuration handling
│   │   └── config.go
│   └── api/          # ProtonMail API client
│       └── client.go
├── .github/
│   └── workflows/
│       └── ci.yml    # CI/CD pipeline
├── go.mod
├── go.sum
├── main.go
├── Makefile
└── README.md

Configuration

Configuration is stored in ~/.config/pop/config.json:

{
  "api_base_url": "https://api.protonmail.ch",
  "timeout_sec": 30,
  "rate_limit_requests": 100,
  "rate_limit_window_sec": 60
}

Session data is stored in ~/.config/pop/session.json:

{
  "uid": "user-uid",
  "access_token": "token",
  "refresh_token": "refresh",
  "expires_at": 0,
  "two_factor_enabled": false
}

Development

# Build
make build

# Run tests
make test

# Format code
make fmt

# Lint
make lint

# Clean build artifacts
make clean

Dependencies

github.com/spf13/cobra - CLI framework
github.com/ProtonMail/gopenpgp/v2 - PGP crypto

License

MIT