Fix security bug with shell

This page is a capture in the next bucket of the product backlog — a pre-sprint idea, not yet pulled into a sprint as a story.

As reported by Gemini:

projects/ores.qt/include/ores.qt/ClientManager.hpp Comment on lines +302 to +305 /**

• @brief Get the stored password used for the current session.

*/ std::string storedPassword() const { return stored_password_; } Contributor @gemini-code-assist gemini-code-assist bot 2 hours ago security-critical critical

Exposing the stored password via a public getter storedPassword() introduces a significant security risk. Storing raw passwords in memory after authentication is already a sensitive practice, but providing a public accessor increases the attack surface within the application. Any component that can access the ClientManager can now retrieve the user's password in plain text.

A more secure approach should be considered:

Token-based Authentication: The main session could request a short-lived, single-purpose token from the server, which the shell window can then use to authenticate its own session. This avoids passing the raw password around. Session Management within ClientManager: Instead of the ShellMdiWindow creating its own session, ClientManager could be responsible for creating and providing a fully authenticated client_session object to the shell window, without ever exposing the credentials used to create it.