Hash password for website

[MartinVingerhoets]

Could you make it so the password you enter in the website is hashed because it is currently being send in plain text which isn't a good idea.

[sijanec]

A hash would not help. A hash with a nonce would, but it is still not advised to connect to this website from the Internet because it has no SSL. SSL would be just a ridiculous overkill for this project.

A safe connection to the website would be via a SSH tunnel to your host (encrypted).

And remember: if someone else has user access to your host, or if you have a website with many features that is subject to directory traversal and arbitrary file read, make sure to chmod 700 -R . your 2bored2wait directory so others won't be able to read your MINECRAFT ACCOUNT data! There is no way to store a hash of it on the host.

[NBTX]

@sijanec It's not necessary to implement SSL into the application itself, you can use an NGINX (or some other) reverse proxy that you expose to the public-facing internet which implements SSL.

[NBTX]

Also, regarding the Minecraft account, I think when you start the application, you should input your Minecraft password into the website.

One feature I may look at implementing is seeing if we can grab the user's authentication token straight from the client by default, so we don't even normally need to enter the password into the file. (Obviously this won't work if you aren't running the server locally, but I imagine this will allow a significant chunk of people to avoid entering their password.)

[MrGeorgen]

@sijanec It's not necessary to implement SSL into the application itself, you can use an NGINX (or some other) reverse proxy that you expose to the public-facing internet which implements SSL.

good solution