Password sent in clear text

Question

Password sent in clear text

Opened this issue 9 years ago · 3 comments

On every REST call the username and password are sent in clear text, meaning the demo servers access logs are filled with login combos.

The API supports password encryption (using enc:)

And any shared jamstash.

Answer 1 · 2015-07-26T14:40:04.000Z

Hi,

I'm not sure what you're suggesting, we do use 'enc:' when sending passwords.
Anyway, we don't have many options since Subsonic requests username and passwords for every request. Subsonic also supports HTTP Basic Authentication, I haven't tried implementing in in Jamstash yet, do you think it could solve this problem ?

Answer 2 · 2015-07-26T14:50:45.000Z

Hi,

My access logs show a clear text password:
GET /rest/getMusicFolders.view?c=Jamstash&callback=angular.callbacks._t&f=jsonp&p=cleartext&u=cleartext&v=1.6.0

I'm not sure if basic HTTP auth would change all that much on the encryption point of view but it should slightly lighten the server load.

Answer 3 · 2015-07-26T15:33:56.000Z

To be precise we encrypt the password when saving it, in the settings. Then we send what we saved as-is. Maybe try entering your password and saving again ?

Yes, I didn't think basic auth would improve password encryption either. I'm putting it aside for now as there are other things that need improvements, in the meantime feel free to contribute a pull request :).