Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix proposal for not storing passwords in plain-text by timed tokens #243

Closed
wants to merge 2 commits into from

Conversation

jaseg
Copy link
Contributor

@jaseg jaseg commented Nov 27, 2011

This code is not yet complete or tested. There still is some work to be done, e.g. I still did not decide for one particular client-side sha512 implementation.
The authentication is handled by a one-time token which is generated by the client on authentication with a password and which is limited in its validity to two weeks. Thus an attacker does only get a two-week access thanks to this method.

I will fix the above mentioned issues and test the code as soon as I get my local etherpad instance running.

…password authentication but on a kind of 'timed cookies' so the password is not stored in plain text in some browser cookie.

Also modded some random string generation funtions for elegance.
@Pita
Copy link
Contributor

Pita commented Nov 27, 2011

Looks good so far. Ping me when its ready and I will look closer on it

@Pita
Copy link
Contributor

Pita commented Nov 27, 2011

I'm not sure if its a good idea to hash on the client side

@Pita
Copy link
Contributor

Pita commented Dec 4, 2011

any news on that?

1 similar comment
@Pita
Copy link
Contributor

Pita commented Dec 7, 2011

any news on that?

@Pita
Copy link
Contributor

Pita commented Dec 11, 2011

I close this cause you did another pull request about password security

@Pita Pita closed this Dec 11, 2011
muxator added a commit that referenced this pull request Oct 20, 2019
This upgrade should be backward compatible, but still suffers form major
vulnerabilities in its https-proxy-agent transitive dependency (see
https://www.npmjs.com/advisories/1184).

Changelog:
- https://github.com/npm/cli/releases

6.12.0 (2019-10-08):
    Now npm ci runs prepare scripts for git dependencies, and respects the
    --no-optional argument. Warnings for engine mismatches are printed again.
    Various other fixes and cleanups.

    BUG FIXES
    890b245dc #252 ci: add dirPacker to options (@claudiahdz)
    f3299acd0 #257 npm.community#4792 warn message on engine mismatch
                   (@ruyadorno)
    bbc92fb8f #259 npm.community#10288 Fix figgyPudding error in npm token
                   (@benblank)
    70f54dcb5 #241 doctor: Make OK more consistent (@gemal)

    FEATURES
    ed993a29c #249 Add CI environment variables to user-agent (@isaacs)
    f6b0459a4 #248 Add option to save package-lock without formatting Adds a new
                   config --format-package-lock, which defaults to true.
                   (@bl00mber)

DEPENDENCIES
    0ca063c5d [email protected]:
        fix: filter functions and undefined out of makeEnv (@isaacs)
    5df6b0ea2 [email protected]:
        fix: pack git directories properly (@claudiahdz)
        respect no-optional argument (@cruzdanilo)
    7e04f728c [email protected]
    5c380e5a3 [email protected] (@isaacs)
    62f2ca692 [email protected] (@isaacs)
    0ff0ea47a [email protected] (@isaacs)
    f46edae94 [email protected] (@isaacs)

TESTING
    44a2b036b #262 fix root-ownership race conditions in meta-test (@isaacs)

6.11.3 (2019-09-03):
    Fix npm ci regressions and npm outdated depth.

    BUG FIXES
    235ed1d28 #239 Don't override user specified depth in outdated. Restores
                   ability to update packages using --depth as suggested by npm audit. (@G-Rath)
    1fafb5151 #242 npm.community#9586 Revert "install: do not descend into
                   directory deps' child modules" (@isaacs)
    cebf542e6 #243 npm.community#9720 ci: pass appropriate configs for file/dir
                   modes (@isaacs)

    DEPENDENCIES
    e5fbb7ed1 [email protected] (@claudiahdz)
    23ce65616 [email protected] (@claudiahdz)

6.11.2 (2019-08-22):
    Fix a recent Windows regression, and two long-standing Windows bugs. Also,
    get CI running on Windows, so these things are less likely in the future.

    DEPENDENCIES
    9778a1b87 [email protected]: Fix regression where shims fail to preserve exit
              code (@isaacs)
    bf93e91d8 [email protected]: Properly handle git+file: urls on Windows
              when a drive letter is included. (@isaacs)

    BUGFIXES
    6cc4cc66f escape args properly on Windows Bash Despite being bash, Node.js
              running on windows git mingw bash still executes child processes
              using cmd.exe. As a result, arguments in this environment need to
              be escaped in the style of cmd.exe, not bash. (@isaacs)

    TESTS
    291aba7b8 make tests pass on Windows (@isaacs)
    fea3a023a travis: run tests on Windows as well (@isaacs)

6.11.1 (2019-08-20):
    Fix a regression for windows command shim syntax.

    37db29647 [email protected] (@isaacs)

v6.11.0 (2019-08-20):
    A few meaty bugfixes, and introducing peerDependenciesMeta.

    FEATURES
    a12341088 #224 Implements peerDependenciesMeta (@arcanis)
    2f3b79bba #234 add new forbidden 403 error code (@claudiahdz)

    BUGFIXES
    24acc9fc8 and 45772af0d #217 npm.community#8863 npm.community#9327 do not
              descend into directory deps' child modules, fix shrinkwrap files
              that inappropriately list child nodes of symlink packages (@isaacs
              and @salomvary)
    50cfe113d #229 fixed typo in semver doc (@gall0ws)
    e8fb2a1bd #231 Fix spelling mistakes in CHANGELOG-3.md (@XhmikosR)
    769d2e057 npm/uid-number#7 Better error on invalid --user/--group configs.
              This addresses the issue when people fail to install binary
              packages on Docker and other environments where there is no
              'nobody' user. (@isaacs)
    8b43c9624 nodejs/node#28987 npm.community#6032 npm.community#6658
              npm.community#6069 npm.community#9323 Fix the regression where
              random config values in a .npmrc file are not passed to lifecycle
              scripts, breaking build processes which rely on them. (@isaacs)
    8b85eaa47 save files with inferred ownership rather than relying on SUDO_UID
              and SUDO_GID. (@isaacs)
    b7f6e5f02 Infer ownership of shrinkwrap files (@isaacs)
    54b095d77 #235 Add spec to dist-tag remove function (@theberbie)

    DEPENDENCIES
    dc8f9e52f [email protected]: Infer the ownership of all unpacked files in
              node_modules, so that we never have user-owned files in root-owned
              folders, or root-owned files in user-owned folders. (@isaacs)
    bb33940c3 [email protected]:
        9c93ac3 #2 npm#3380 Handle environment variables properly (@basbossink)
        2d277f8 #25 #36 #35 Fix 'no shebang' case by always providing $basedir
                in shell script (@igorklopov)
        adaf20b #26 Fix $* causing an error when arguments contain parentheses
                (@satazor)
        49f0c13 #30 Fix paths for MSYS/MINGW bash (@dscho)
        51a8af3 #34 Add proper support for PowerShell (@ExE-Boss)
        4c37e04 #10 Work around quoted batch file names (@isaacs)
    a4e279544 [email protected] (@isaacs):
        fail properly if uid-number raises an error
    7086a1809 [email protected] (@isaacs)
    8845141f9 [email protected] (@isaacs)
    51c028215 [email protected] (@isaacs)
    534a5548c [email protected] (@isaacs)
    3038f2fd5 [email protected] (@isaacs)
    a609a1648 [email protected] (@isaacs)
    f0346f754 [email protected] (@isaacs)
    ca9c615c8 [email protected] (@isaacs)
    b417affbf [email protected] (@isaacs)

    TESTS
    b6df0913c #228 Proper handing of /usr/bin/node lifecycle-path test (@olivr70)
    aaf98e88c [email protected] (@isaacs)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants