-
-
Notifications
You must be signed in to change notification settings - Fork 798
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Enhancement in authorization #1964
Comments
For 2.) and 3.) there is SSL |
I agree that the password encryption/storage in Navidrome is not optimal, but this is a trade-off to keep compatibility with Subsonic API. Please refer to: As long as we want to support Subsonic clients, there's not much we can do. What you can do is:
|
Huh... I guess you're saying that navidrome needs its own apps :) Perhaps navidrome users could have optional subsonic credentials that are not necessarily the same as the native navidrome credentials. Maybe even have the abillity to disable the subsonic API completely for those that don't use it? |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Question & Present Situation
I noticed that the password is stored in the folder with a simple encrypting method, where the encryption key is also stored in the same place, which is extremely dangerous if the storage can be accessed. I wonder if there is an improvement to this situation by storing the hash code of the origin password.
Solution
Noted that the solution should make an allowance of security both in data transmission and data storing, I supposed a new model in authorization, that is
Many people use the same password as they use in other important social media, which causes a potential danger to their information security if the password can be accessed in the server. However, even if the attackers attain the hashing code, they cannot compute the password in reverse (in the Mathematics meaning).
I don't know if it's easy for you to make this change, or if there are any other defects in my solution... Please feel free to contact with me.
The text was updated successfully, but these errors were encountered: