-
Notifications
You must be signed in to change notification settings - Fork 812
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle password
field type for plugin configuration
#637
Comments
I think I'm missing something. Wouldn't the point of saving the password in the config be to use it at some point in the plugin runtime? How would we retrieve the password if we hash it with bcrypt before saving? We would have to save it as plaintext. Does the service you are trying to build a plugin for support tokens? I think that would probably be the best way of going about it, rather than saving the user's password. |
@karaggeorge seems like a token can be used: https://docs.nextcloud.com/server/13/developer_manual/api/OC/Authentication/Token/IToken.html The service i try to integrate ist called "Nextcloud" |
@ochorocho I would suggest using that instead, as we can't really save a user's password other than plaintext |
Supporting a password field might be a bad idea as it gives the illusion of security, but in reality, the password is just stored in plain text on disk. Instead, I think we should update the plugin guide about recommending using a token instead. |
To me it sounds like we should force tokens for security reasons @sindresorhus, but I'm not sure how or if that would work. As @karaggeorge mentioned:
I'll update the docs to encourage token usage and close this issue unless anyone has additions @ochorocho. |
I don't see how we would enforce that. Not providing a |
Yeah, we can add a note that basically says the plugins' config is saved as a plaintext file, so saving passwords is not particularly safe, but at the end of the day the plugins are made by other users, so if a user wants to install one and enter their password that's up to them |
@skllcrn ok, thanks. Now I'm using nextclouds login flow and its working how i wanted it to work :-) |
It would be great to be able to store a password in a secure way in the plugins configuration.
Example:
This consists of 2 components:
ajv
definition for typepassword
bcrypt
to store the encrpyted passwordRelated to /pull/623
The text was updated successfully, but these errors were encountered: