View Issue Details

IDProjectCategoryView StatusLast Update
0007414Talerlibeufin-bankpublic2023-11-29 01:30
ReporterChristian Grothoff Assigned ToAntoine A  
Status closedResolutionfixed 
Platformi7OSDebian GNU/LinuxOS Versionsqueeze
Product Version0.9.2 
Target Version0.9.3Fixed in Version0.9.3 
Summary0007414: [security] Demonstration SPA stores password in plaintext in localstorage
DescriptionNora reports:

The SPA currently stores the login details on the client in LocalStorage as backend-state.username & backend-state.password in plaintext.

We should instead serve authentication tokens which would be stored in place of a password, at a bare minimum.

Something like a simple randomized string that would get invalidated after some time should be sufficient, however something similar to RFC7519 should also work. Either way, we should not store the password (in an unhashed form) anywhere, neither on the client, nor the server.
TagsNo tags attached.


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2022-10-23 15:20 Christian Grothoff New Issue
2022-10-23 15:20 Christian Grothoff Status new => assigned
2022-10-23 15:20 Christian Grothoff Assigned To => MS
2023-01-08 11:31 Christian Grothoff Target Version => 0.9.4
2023-04-13 20:26 Florian Dold Category sandbox => libeufin sandbox
2023-04-13 20:26 Florian Dold Project libeufin => Taler
2023-04-13 20:26 Florian Dold Category libeufin sandbox => General
2023-04-13 21:41 Florian Dold Category General => libeufin-sandbox
2023-09-03 18:16 Christian Grothoff Assigned To MS => Antoine A
2023-09-23 15:26 Christian Grothoff Category libeufin-sandbox => libeufin-bank
2023-11-22 15:48 sebasjm Status assigned => resolved
2023-11-22 15:48 sebasjm Resolution open => fixed
2023-11-29 01:28 Christian Grothoff Target Version 0.9.4 => 0.9.3
2023-11-29 01:29 Christian Grothoff Fixed in Version => 0.9.3
2023-11-29 01:30 Christian Grothoff Status resolved => closed