Opened 13 years ago

Closed 7 years ago

Last modified 7 years ago

#106 closed enhancement (fixed)

API authentication should be encrypted

Reported by: erik@… Owned by: erik@…
Priority: minor Milestone: Wishlist
Component: api Version:
Keywords: authentication, encryption, login, Cc:

Description

There's a note on the wiki REST page about using digest authentication. This would mean that the passwords of all the users will be saved cleartext in the database, but all the authentication made by clients would be in "encrypted form". The encryption is simplified as HASH(username, sharedsecret, randomdata).

To make this happen there should be some example code in the wiki.

Change History (5)

comment:1 Changed 13 years ago by Tom

Component: adminapi
Summary: Encrypted authentication to API and stuffAPI authentication should be encrypted
Type: defectenhancement

For API authentication, we should look at the work done for other REST standards like Atom, because they were made with one eye on how clients could implement things today.

comment:2 Changed 13 years ago by erik@…

I apperantly misunderstood what Johnny Doe ment, he wanted us to use a pubkey to anonymize everyone. I thought he ment encrypted logins,

comment:3 Changed 12 years ago by Tom Hughes

I think using SSL is a lot simpler - using digest authentication would force everybody to change their passwords apart from anything else as we don't currently have a cleartext version of anybody's passwords.

comment:4 Changed 7 years ago by Tom Hughes

Resolution: fixed
Status: newclosed

Web site logins are now SSL encrypted and we have OAuth for the API so there is no need to reveal the actual passwords there if you don't want to.

Digest authentication would require storing passwords in the clear which I absolutely don't want to do. OAuth is the preferred authentication method for the API anyway.

I think we can call this fixed.

comment:5 Changed 7 years ago by Tom

Had a few trace emails recently. Blast from the past. I love seeing these 6 year old tickets getting closed. Thanks to all involved!

And yeah, TomH, OAuth and SSL totally covers it :)

Note: See TracTickets for help on using tickets.