Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle password field type for plugin configuration #637

Open
ochorocho opened this issue Feb 23, 2019 · 8 comments
Open

Handle password field type for plugin configuration #637

ochorocho opened this issue Feb 23, 2019 · 8 comments
Assignees
@skllcrn
Labels
Help Wanted Priority: Medium Status: Planned Type: Feature

Comments

@ochorocho
Copy link

It would be great to be able to store a password in a secure way in the plugins configuration.

Example:

password: {
      title: 'Password',
      type: 'password',
      required: true
},

This consists of 2 components:

  • Add an ajv definition for type password
  • Use bcrypt to store the encrpyted password

Related to /pull/623
@karaggeorge
Copy link
Member

I think I'm missing something. Wouldn't the point of saving the password in the config be to use it at some point in the plugin runtime? How would we retrieve the password if we hash it with bcrypt before saving? We would have to save it as plaintext.

Does the service you are trying to build a plugin for support tokens? I think that would probably be the best way of going about it, rather than saving the user's password.

@ochorocho
Copy link
Author

@karaggeorge seems like a token can be used: https://docs.nextcloud.com/server/13/developer_manual/api/OC/Authentication/Token/IToken.html

The service i try to integrate ist called "Nextcloud"

@karaggeorge
Copy link
Member

@ochorocho I would suggest using that instead, as we can't really save a user's password other than plaintext

@sindresorhus
Copy link
Member

sindresorhus commented Apr 26, 2019
edited

Supporting a password field might be a bad idea as it gives the illusion of security, but in reality, the password is just stored in plain text on disk.

Instead, I think we should update the plugin guide about recommending using a token instead.

@skllcrn
Copy link
Member

skllcrn commented Apr 26, 2019
edited

To me it sounds like we should force tokens for security reasons @sindresorhus, but I'm not sure how or if that would work. As @karaggeorge mentioned:

Does the service you are trying to build a plugin for support tokens?

I'll update the docs to encourage token usage and close this issue unless anyone has additions @ochorocho.

@sindresorhus
Copy link
Member

To me it sounds like we should force tokens for security reasons @sindresorhus

I don't see how we would enforce that. Not providing a password type and documenting the recommendation is the most we can do, I think.

@skllcrn skllcrn self-assigned this Apr 26, 2019
@karaggeorge
Copy link
Member

Yeah, we can add a note that basically says the plugins' config is saved as a plaintext file, so saving passwords is not particularly safe, but at the end of the day the plugins are made by other users, so if a user wants to install one and enter their password that's up to them

@ochorocho
Copy link
Author

ochorocho commented Apr 26, 2019
edited

@skllcrn ok, thanks. Now I'm using nextclouds login flow and its working how i wanted it to work :-)

@jsejcksn jsejcksn mentioned this issue Feb 14, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skllcrn skllcrn

Labels
Help Wanted Priority: Medium Status: Planned Type: Feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sindresorhus @ochorocho @skllcrn @karaggeorge