Login username/password for IRC server is not stored correctly

[ukcb]

Where to set a password for a irc-server exactly? I can set a password in the Advanced settings, but when I restart convos I get no more connection to the irc-server (Access denied: Bad password?).
I need to re-enter the password, then it works again. Why is the password not saved?

[ukcb]

I must specify both in the advanced settings - username AND password! I had only entered the
password, which was not saved. I should have known. I checked the url-syntax in my connection.json.

username and password
"url":"irc://convos:password@irc-server:6697?nick=convos&tls=1"
it's working

username only
"url":"irc://convos:@irc-server:6697?nick=convos&tls=1"
does not work

password only
"url":"irc://irc-server:6697?nick=convos&tls=1"
does not work

password is a space
"url":"irc://convos:%20@irc-server:6697?nick=convos&tls=1"
PASS Syntax error
does not work

username and password is a space
"url":"irc://%20:%20@irc-server:6697?nick=convos&tls=1"
USER Syntax error
does not work

The last two examples are a suggestion for the future, if an error should occur.
An empty entry should be prevented.

[jhthorsen]

Why did you close this issue? Isn't this a bug..? Sounds like Convos should support just setting a password..?

[ukcb]

It's not really a mistake, but it should be better documented.
For my taste, a irc-server password should be specified for a new connection.
A unique password per irc-server should be sufficient.
Look into the RFC for command PASS https://tools.ietf.org/html/rfc1459#section-4.1.1

[jhthorsen]

I think this is a mistake which should be fixed.

[jhthorsen]

I've written a failing test, and the implemented logic seems to be pretty broken. It's not easy to fix, since I need to figure out if a new password is entered or not. The way it is now, I don't want to send the password to the web browser, but rather just store it on the server side once. But maybe it's ok to send it to the browser..? The reason behind not wanting to send it to the browser is in case the Convos installation is not served over TLS/SSL.

I have some ideas:

• Serve the connection URL back with a flag set. Example: irc://username@irc.example.com/?password=1 (Convos can then use "password=1" to render the form differently)
• Serve the URL back with username and password. Example: irc://username:secret@irc.example.com/
• Not quite sure, but maybe blank password is good enough indicator Example: irc://username:@irc.example.com
• Have some special password string "******" where the password goes. This might be in conflict with the actual password set, even though I find that very unlikely.

Will look at it later this week - Hopefully tomorrow.

[jhthorsen]

And also... How do I know if someone has submitted a blank password or not changed the password at all? I would like to avoid a "delete password" button. The special password string "******" could be used for this and it would also avoid password managers from autofilling the form. Though the password manager might pick it up as an actual password.

[ukcb]

Can not you simply send a PASS command before a SERVER command?

Pseudo-code: irc->write("PASS $pass") if $pass

[jhthorsen]

@ukcb: That works as expected, but the problem is that the sending the password from frontend to backend does not (always) work.

I've discussed it with @marcusramberg, and we came to the conclusion that it's ok to pass the username/password to the frontend from the backend. This is OK as long as Convos is protected with TLS/SSL, and there's other overlapping issues if you don't protect Convos with a secure connection.

[jhthorsen]

This is now fixed and will be part of the next release, version 0.99_33.