Support storing the password for host protection in a hashed form
m90 opened this issue · 2 comments
Feature request
I would like to avoid storing my password for host protection in plain text in the app's config file. It should be possible to support providing a hashed password that can then be compared against.
Pros
It's not necessary to store a plain text password in the app's configuration files anymore.
Additional context
I would implement it like this:
- add a
host.passwordHash
option - when
host.password
is provided, this will still take precedence - PBKDF2 can be used to create the hash. Users will either have to follow documentation or a script that hashes it's input can be provided in the repo
If you think this makes sense, I'd be happy to work on this myself.
Hey @m90,
Don't worry too much about having the username and password in the config file, since the server configuration isn't accessible from the outside, it's not a major cause for concern. If necessary, you can always set a password hash for added security, but personally, I don't find additional additions essential. Thank you anyway for your valuable suggestions. If you're interested, please join us on our official forum. We have a channel for ideas and suggestions
where we can discuss together, and you can interact with the community as well. Have a great weekend!
Best regards,
Miroslav
since the server configuration isn't accessible from the outside
The project I'd like to deploy Mirotalk for has all configuration publicly accessible, so putting the password in plain text is not an option. It occured to me I can edit the config file to read from process.env
or even use an IIFE that reads it from a file (i.e. Docker Swarm). I would still think having plain text passwords as the default could be a deal breaker for some use cases.