This repository has been archived by the owner on Feb 18, 2021. It is now read-only.
Don't use plaintext passwords in API calls #78
Assignees
Comments
kaschioudi
added a commit
that referenced
this issue
Aug 25, 2016
kaschioudi
added a commit
that referenced
this issue
Aug 25, 2016
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Need to fix a really questionable decision made when setting up the API -- currently expects plaintext passwords (even though passwords are properly hashed in the DB), passed through the URL no less.
Since sending a hash over HTTP ultimately isn't much better, we should probably investigate using API tokens of some kind. I'm not particular about how this gets done but I'd like to add the least interface cruft possible. We could add "generate an API token" to the Settings page, and add another column to the users table of the db which stores a randomly generated UUID, and it would then act like a password for API use. This is probably simpler than using OAuth because it doesn't break the current passing-strings-in-URLs method?
The text was updated successfully, but these errors were encountered: