Comments (10)
I will happily tackle it, this is perfect for jwt tokens because we can store every needed info on the token itself, also username/password can be kept in a file, only thing is, I would store the password hashed just in case but we can start with just storing them in a json file.
from slashboard-pulsar.
Actually it was very bad the key was expected in the url which is very much public and visible to anyone even with TLS so it was not secret at all, I'm about to drop a PR
from slashboard-pulsar.
I think this can be closed since we merged the change, unless you want to keep this one around for the other 2 points
from slashboard-pulsar.
Currently, the only actual implemented security measure is a 64-char alphanumeric key which prevents random people who know your server's ip and port to access its status. However I am aware (although I have no idea how to fix it) that there might ways of overriding this.
I'd love to know what your concerns are, and how you plan on fixing them 😄
from slashboard-pulsar.
I already took a look at the code my first idea is to make it a username/password combination and (correct me if it already is) serve the endpoints under tls i.e https since right now the "key" is sent plaintext and this is highly insecure unless you only work inside your private network. So in short my idea is two fold:
- Make the credentials username/password based and switch over to a jwt/session system to avoiding sending the pair every request, jwt is nice here because it's self contained and can work without a db;
- Optionally expose the endpoints over https(make it optional as local networks don't need it as much) or offer guidance on reverse proxying the server;
- Add host whitelisting (i.e only respond to allowed ips);
I further suggest implementing these in 2 phases, first and foremost replace the current "key" system with the proposed or similar, and the optional tls, finally implement the host whitelisting.
from slashboard-pulsar.
We can later improve it with more secure methods (but that require more setup so make them like available not mandated) like certificate based authentication or similar
from slashboard-pulsar.
These are good ideas indeed, for now, I want to keep user data such as settings and saved servers in a client-side json file, so storing these in a database for each account is something I want to avoid.
However, improving the key system is a good thing (I didn't spend a lot of time researching on that subject because no actual sensitive information is being shared, but it might be better to implement this anyways). If you want to take care of this, you can, otherwise I'll tackle the issue later when I'm done finishing up the front-end and the API routes.
Anyways, I'm adding this to the backlog.
from slashboard-pulsar.
feel free to assign me to this
from slashboard-pulsar.
There you go
from slashboard-pulsar.
Yes, I'm closing this, I'll reopen it if needed.
from slashboard-pulsar.
Related Issues (6)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from slashboard-pulsar.