-
Notifications
You must be signed in to change notification settings - Fork 331
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
admin.js: hide password for connection #539
base: master
Are you sure you want to change the base?
Conversation
To be honest, I am not sure about this. The password element doesn't support the "display password" function, so one cannot review that the password has been written correctly. For me this is an extremely important feature. It seems to be possible with React though (https://itnext.io/building-a-toggled-mask-password-input-component-w-react-and-material-ui-f55e6bd73434). |
Retrieving passwords via the GUI should be made completely impossible. I admit that this patch only hides the password. What is really needed is that passwords are not even transferred to the browser by adjusting the Mnesia query. This avoids risks like cross-site-scripting and man in the middle attacks. Displaying the clear text password all time is a complete no-no when working in an open space office with anybody being able to look over your shoulder. If you ever should want to verify the password you can use an Erlang shell and query the database. |
@xypron Heinrich, you should also remember, that this particular interface is also used for correct backup/restore of the server's database, making passwords unavailable through API will break this heavily. |
In the editor for connections do not display the characters of the password but use a input of type password. Closes issue gotthardp#538 Signed-off-by: Heinrich Schuchardt <[email protected]>
@altishchenko The requested change is about the GUI and not about any API. Backup is not done via the GUI. So I cannot follow your concern about backups and restores. |
@xypron Ok, but what about
I was saying that GUI is used for quick on-premises troubleshooting as well. What can be done with this? While this feature improves some security on your side, it breaks working procedures on mine for example, hence my vote against. If you need this feature that much, why not make it configurable and let others decide if they need this or not? Or, if it is not possible, run a vote with other community members too, otherwise it is improvement on your side against deterioration on mine . |
In the editor for connections do not display the
characters of the password but use a input of type
password.
Closes issue #538
Signed-off-by: Heinrich Schuchardt [email protected]