Hide API keys after save #707
Replies: 6 comments
-
You could the reverse proxy behind Auth as a temp measure for this via htpasswd. I do this and exclude my local IP range so I don't need to put a user/pass in locally but I do if I access it from outside my network. |
Beta Was this translation helpful? Give feedback.
-
Yeah, that's what I've done for now, but it's not an ideal solution...
…________________________________
From: j0nnymoe <notifications@github.com>
Sent: Tuesday, May 8, 2018 10:57:50 PM
To: linuxserver/Heimdall
Cc: Mathieu Pasquet; Author
Subject: Re: [linuxserver/Heimdall] Hide API keys after save (#179)
You could the reverse proxy behind Auth as a temp measure for this via htpasswd. I do this and exclude my local IP range so I don't need to put a user/pass in locally but I do if I access it from outside my network.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#179 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AK0JjxhjuGGHhR-T3g5eXcl_ZLEsMN6xks5twhTegaJpZM4T3Zj_>.
|
Beta Was this translation helpful? Give feedback.
-
Could this not be fixed by adding Ref.: |
Beta Was this translation helpful? Give feedback.
-
Not really. That's just a client side fix.
Anyone could open their browser device tools and change the field back to `type="text"`.
The easiest solution would be to make the field a one way input. Once the API key is submitted, clear the field and when you serve the page, just leave the field empty. Or, maybe for better UX, once the key has been saved, use `placeholder="•••••••••••••••"` to let users know something has been saved.
I'd do it myself as a pull request but I've never touched PHP...
…________________________________
From: MindTooth <notifications@github.com>
Sent: Saturday, June 9, 2018 9:11:22 AM
To: linuxserver/Heimdall
Cc: Mathieu Pasquet; Author
Subject: Re: [linuxserver/Heimdall] Hide API keys after save (#179)
Could this not be fixed by adding type=password[1] to the field itself?
Ref.:
[1] https://www.w3.org/TR/html52/sec-forms.html#password-state-typepassword
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#179 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AK0Jj-nf-gG28wfL--UszIKKqKtLzW33ks5t64MqgaJpZM4T3Zj_>.
|
Beta Was this translation helpful? Give feedback.
-
Your right, I only saw the benefit if someone were sitting next to you, or gain quick access to the site. I bet someone will come around and have a jab at it. However, if you feel experimental, this[1] is the relevant part to start looking. |
Beta Was this translation helpful? Give feedback.
-
it's not really designed to be public facing, that said, it might be worth looking into encrypting the app config details rather than just json_encoding them. |
Beta Was this translation helpful? Give feedback.
-
I have Heimdall running behind a reverse proxy, and it is therefore public facing. I like this as I can set it as my home page on all my devices, but now anyone who stumbles across my url will have my API passwords!
Not good.
It would be ideal if the API keys could just render as ******** after they have been saved.
Beta Was this translation helpful? Give feedback.
All reactions