RUST PULSEWiki
Credentials Helper

Security model

How the helper protects your device token and credentials on disk.

The helper is the only Rust Pulse surface that runs on your computer. We treat its threat model seriously.

Renderer is sandboxed

nodeIntegration: false
contextIsolation: true
sandbox: true

The only API surface the renderer (the visible UI) has is window.rustplus, defined in preload.ts. The renderer cannot make network requests directly — everything goes through IPC to the main process.

Device bearer token at rest

Stored via Electron's safeStorage:

  • macOS — Keychain.
  • Windows — DPAPI (per-user encryption).
  • Linux — libsecret (GNOME Keyring / KWallet).

On Linux without a keyring service, safeStorage falls back to plaintext on disk. The UI surfaces a yellow warning when this fallback is active so you can install a keyring if you want.

Steam login window

Uses partition: 'persist:rustplus' so cookies survive between sessions. Practically: if you signed into Steam through Facepunch's site once, the next connect is one click.

The Steam login itself happens entirely inside Facepunch's Chromium-rendered Steam OpenID flow. The helper never sees your Steam password. Steam authenticates against Steam itself; Facepunch redirects with a signed token.

Content Security Policy

The index.html declares a strict CSP:

script-src 'self';

No inline scripts, no remote scripts, no eval. Means a hijacked DOM still can't execute attacker code.

Network requests

Every outbound request is performed in the main process, which is the only context with the device token. Hosts contacted:

  • rustpulse-api — pairing + credentials upload.
  • companion-rust.facepunch.com — Steam OpenID login + push registration.
  • exp.host — Expo push-token trade.

What if my device is compromised

If an attacker has shell access to your computer and can read your OS keychain:

  • They can see your device bearer token.
  • They can call /credentials/fcm as you.
  • The API still requires the Steam ID on the credential bundle to match the Steam ID on the session, so an attacker would need to provide a credential bundle matching your Steam ID — which requires them to also pass through Facepunch's Steam OpenID flow as you.

In other words: a compromised device leaks your bearer token but not your Rust+ pairing token. That's a meaningful improvement over self-hosted bots which keep the Rust+ pairing token plaintext on the host's disk.