Kap: Handle `password` field type for plugin configuration

Created on 23 Feb 2019  路  8Comments  路  Source: wulkano/Kap

It would be great to be able to store a password in a secure way in the plugins configuration.

Example:

password: {
      title: 'Password',
      type: 'password',
      required: true
},

This consists of 2 components:

  • Add an ajv definition for type password
  • Use bcrypt to store the encrpyted password

Related to wulkano/kap/pull/623

Help Wanted Medium Planned Feature
Source
picture ochorocho
👍2

All 8 comments

I think I'm missing something. Wouldn't the point of saving the password in the config be to use it at some point in the plugin runtime? How would we retrieve the password if we hash it with bcrypt before saving? We would have to save it as plaintext.

Does the service you are trying to build a plugin for support tokens? I think that would probably be the best way of going about it, rather than saving the user's password.

karaggeorge picture karaggeorge on 26 Feb 2019

@karaggeorge seems like a token can be used: https://docs.nextcloud.com/server/13/developer_manual/api/OC/Authentication/Token/IToken.html

The service i try to integrate ist called "Nextcloud"

ochorocho picture ochorocho on 26 Feb 2019

@ochorocho I would suggest using that instead, as we can't really save a user's password other than plaintext

karaggeorge picture karaggeorge on 10 Mar 2019

Supporting a password field might be a bad idea as it gives the illusion of security, but in reality, the password is just stored in plain text on disk.

Instead, I think we should update the plugin guide about recommending using a token instead.

sindresorhus picture sindresorhus on 26 Apr 2019
👍1

To me it sounds like we should force tokens for security reasons @sindresorhus, but I'm not sure how or if that would work. As @karaggeorge mentioned:

Does the service you are trying to build a plugin for support tokens?

I'll update the docs to encourage token usage and close this issue unless anyone has additions @ochorocho.

skllcrn picture skllcrn on 26 Apr 2019

To me it sounds like we should force tokens for security reasons @sindresorhus

I don't see how we would enforce that. Not providing a password type and documenting the recommendation is the most we can do, I think.

sindresorhus picture sindresorhus on 26 Apr 2019
👍1

Yeah, we can add a note that basically says the plugins' config is saved as a plaintext file, so saving passwords is not particularly safe, but at the end of the day the plugins are made by other users, so if a user wants to install one and enter their password that's up to them

karaggeorge picture karaggeorge on 26 Apr 2019
👍1

@skllcrn ok, thanks. Now I'm using nextclouds login flow and its working how i wanted it to work :-)

ochorocho picture ochorocho on 26 Apr 2019
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pedromassango picture pedromassango  路  3Comments
freeassange picture freeassange  路  3Comments
petetnt picture petetnt  路  4Comments
rgbkrk picture rgbkrk  路  4Comments
deadcoder0904 picture deadcoder0904  路  3Comments