View Issue Details

IDProjectCategoryView StatusLast Update
0007414Talerlibeufin-sandboxpublic2023-04-13 21:41
ReporterChristian Grothoff Assigned ToMS  
Status assignedResolutionopen 
Platformi7OSDebian GNU/LinuxOS Versionsqueeze
Product Version0.9.2 
Target Version0.9.4 
Summary0007414: [security] Demonstration SPA stores password in plaintext in localstorage
DescriptionNora reports:

The SPA currently stores the login details on the client in LocalStorage as backend-state.username & backend-state.password in plaintext.

We should instead serve authentication tokens which would be stored in place of a password, at a bare minimum.

Something like a simple randomized string that would get invalidated after some time should be sufficient, however something similar to RFC7519 should also work. Either way, we should not store the password (in an unhashed form) anywhere, neither on the client, nor the server.
TagsNo tags attached.


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2022-10-23 15:20 Christian Grothoff New Issue
2022-10-23 15:20 Christian Grothoff Status new => assigned
2022-10-23 15:20 Christian Grothoff Assigned To => MS
2023-01-08 11:31 Christian Grothoff Target Version => 0.9.4
2023-04-13 20:26 Florian Dold Category sandbox => libeufin sandbox
2023-04-13 20:26 Florian Dold Project libeufin => Taler
2023-04-13 20:26 Florian Dold Category libeufin sandbox => General
2023-04-13 21:41 Florian Dold Category General => libeufin-sandbox