0009620: Restrict public instance access and replace token-based authentication with username and password

ID	Project	Category	View Status	Date Submitted	Last Update

0009620	Taler	mechant backend	public	2025-03-13 13:27	2025-03-13 20:32

Reporter	Dana Dram	Assigned To
Priority	high	Severity	feature	Reproducibility	always
Status	confirmed	Resolution	open
Product Version	0.14
Target Version	1.1

Summary	0009620: Restrict public instance access and replace token-based authentication with username and password
Description	Currently, the application includes a "Clear" button that makes the instance public, removing the need for a token to log in. This poses a significant security risk, as it allows unrestricted access to the instance without proper authentication. To address this issue, the feature proposes blocking the ability to make the instance public through the "Clear" button. Additionally, instead of relying solely on token-based authentication, the feature suggests replacing it with a more conventional and user-friendly authentication method: username and password. This change would enhance security by ensuring that access is tied to specific user credentials while maintaining ease of use for end-users
Additional Information	To prevent making the instance public, it would be preferable to disable or remove the "Clear" button functionality. Additionally, implementing username and password-based authentication as the primary login method would enhance security
Tags	No tags attached.
Attached Files	Public_instance.png (50,487 bytes) Public_instance.png (50,487 bytes)

Christian Grothoff 2025-03-13 14:23 manager ~0024191	Hah! I actually already had exactly this discussion with Florian (username/password login), just didn't get around to filing a bug on it. So thanks ;-)

Stefan 2025-03-13 20:32 developer ~0024198	Solving this issue requires to change "access token" to "password" as an expression used at many different places in the Taler merchant backend. This will have consequences for internationalisation (take a look at https://weblate.taler.net/search/gnu-taler/merchant-backoffice/?q=access+token&sort_by=-priority%2Cposition&checksum=). Therefore I am stalling for a while my own bug https://bugs.gnunet.org/view.php?id=9525 until the English strings have been replaced and then I'll have the German strings changed. This will make most sense as otherwise we would have a lot of "Strings marked for edit" in Weblate.

Date Modified	Username	Field	Change
2025-03-13 13:27	Dana Dram	New Issue
2025-03-13 13:27	Dana Dram	Status	new => assigned
2025-03-13 13:27	Dana Dram	Assigned To	=> Christian Grothoff
2025-03-13 13:27	Dana Dram	File Added: Public_instance.png
2025-03-13 14:23	Christian Grothoff	Note Added: 0024191
2025-03-13 14:24	Christian Grothoff	Target Version	=> 1.1
2025-03-13 14:40	Christian Grothoff	Assigned To	Christian Grothoff =>
2025-03-13 14:40	Christian Grothoff	Status	assigned => confirmed
2025-03-13 20:32	Stefan	Note Added: 0024198