Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

config.md does not hint at passwords being stored in clear text #44

Closed
almereyda opened this issue Dec 6, 2017 · 3 comments
Closed

config.md does not hint at passwords being stored in clear text #44

almereyda opened this issue Dec 6, 2017 · 3 comments

Comments

@almereyda
Copy link
Contributor

The config.md documentation document suggests users to store their account credentials for allowing write operations.

The special page write_operations.md mentions the fact of clear text storage, but far away even from README.md.

Would it be possible to provide the password as a secure hash to the remote auth endpoint instead?
@maxlath
Copy link
Owner

maxlath commented Dec 6, 2017

the constrain is that, unless using OAuth (for which there is a pending issue #25 and which itself will need to store secret keys) we need to be able to recover the password, would stocking the password as a hash of a symmetric algorithm (like base64) address your concern?

maxlath added a commit that referenced this issue Dec 7, 2017
@maxlath
docs: config: added a warning on the password being persisted as clea…
ce7737a 
…r text

addressing #44
@maxlath
Copy link
Owner

maxlath commented Dec 7, 2017

the hint is there now

@almereyda almereyda mentioned this issue Dec 7, 2017
Open
@almereyda
Copy link
Contributor Author

No, a symmetric hash does not address the concern, but this is probably a separate issue.

Thanks for telling the users more prominently about the caveats with this. Closing in favour of #45.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maxlath @almereyda