Why does API still requires plain-text password?

Posted in

#1 by widowan
2021-12-14 at 02:20
< report >I've been looking at API documentation and the major thing that stood out was the fact that it required plaintext password sent. Why? I'm not so worried about sending it (since encryption and stuff) rather than about storing it in plaintext... I understand that this is an animu porn website and major OSes have keyrings and stuff but I still feel rather uncomfortable...
#2 by widowan
2021-12-14 at 02:25
< report >What I meant to say is "Why it's not hashed at least"
#3 by Yorhel
2021-12-14 at 06:01
< report >Because I simply hadn't gotten to implementing a token or session system. You're welcome to contribute one.
#4 by widowan
2021-12-14 at 20:59
< report >I mean, it doesn't have to be a token/session system, as far as I can see passwords are scrypt'ed anyways
#5 by Yorhel
2021-12-15 at 06:05
< report >Yeah but I'm not going to give you my global salt.

I realized yesterday that implementing a session system would actually not be too much work as most of the infrastructure is already there. I'll see if I can give it a try.
#6 by widowan
2021-12-15 at 08:01
< report >Thanks for looking at least!
#7 by Yorhel
2021-12-15 at 12:39
< report >Yup, that wasn't so bad, API now supports session tokens.

Still requires plain-text password for initial login, but at least you won't have to store it.
#8 by widowan
2021-12-15 at 20:53
< report >Thank you! <3


You must be logged in to reply to this thread.