Was encrypted storage of the secrets intentionally foregone?
Then pass-otp might be better… at least the secrets are stored gpg-encrypted then :)
The secrets will be saved as a hidden file named .mina.json in the home directory of the current user.
This doesn’t offer any protection against other users on the same machine. Encrypting the secrets is the way to go, but in the meantime you should do
os.chmod(JSON_URL, stat.S_IRUSR | stat.S_IWUSR)
to prevent other users from being able to view the file.
That’s susceptible to race conditions. You have to do a little umask dance before creating the file.
Nice! What are you using for QR code generation?