Password saved in plain text in mongo db

Question

Password saved in plain text in mongo db

Opened this issue 2 years ago · 3 comments

Going into the mongodb shell and showing the setting collection reveals the authCredentials password in plain text

Reproduction

Used commands:
mongosh
use pisignage-server-dev
db.settings.find()

Sample Output Showing the password in plaintext

[
  {
    _id: ObjectId("object-id"),
    authCredentials: { user: 'admin-username', password: 'ADMIN-PASSWORD-IN-PAINTEXT' },
    installation: 'pi-signage-username',
    newLayoutsEnable: false,
    systemMessagesHide: true,
    forceTvOn: false,
    disableCECPowerCheck: false,
    defaultDuration: 10,
    language: 'en',
    sshPassword: null,
    enableLog: false,
    hideWelcomeNotice: true,
    reportIntervalMinutes: 5,
    enableYoutubeDl: true,
    __v: 0
  }
]

Possible In scope:

Add measures to salt and hash the password before it gets saved to db
Change auth check to handle checking against hashed password
Test for functionality of authentication, and setting new password

Resources Found

Found an example that may be adaptable to this use case
- https://coderrocketfuel.com/article/store-passwords-in-mongodb-with-node-js-mongoose-and-bcrypt

Answer 1 · 2023-07-17T15:04:54.000Z

Approaching 2 years and this hasn't been addressed yet?

Answer 2 · 2023-07-18T07:09:26.000Z

Hi, this is used by players in the internal network and http auth. We are not planning to solve this as of now.

Answer 3 · 2023-11-30T18:39:21.000Z

Would love for this to be addressed. At least more security added for open-source servers. 2FA, SSO, different password for players than server, no plain text on players and MongoDB, etc.