mirror of
https://github.com/nsupdate-info/nsupdate.info.git
synced 2026-04-25 08:35:56 +03:00
[GH-ISSUE #265] Refreshing "Show Configuration" invalidates host secret #221
Labels
No labels
bug
bug
duplicate
easy
easy
enhancement
enhancement
invalid
needs help
pull-request
scalability
security
task
urgent
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/nsupdate.info-nsupdate-info#221
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @mvglasow on GitHub (Jul 2, 2016).
Original GitHub issue: https://github.com/nsupdate-info/nsupdate.info/issues/265
A few days ago I signed up for nsupdate.info and registered a host, then configured it with the settings on the "Show Configuration" page. I kept the browser tab open so I could go back in case I needed to do troubleshooting (which turned out to be necessary, after suffering from #207), blissfully unaware that I was resetting the secret on every browser restart (or whenever that URL was requested). It was only by coincidence that I discovered this, as there is no warning when reaching this page after configuring a new host.
I'd suggest changing the logic so that simply refreshing this page will not reset the secret. I understand that host secrets are stored in hashed form server-side, so there is no way to show the secret without regenerating it. Suggestion: when the page is loaded, show the full configuration but, instead of the secret, show a button "Regenerate secret" which the user has to click in order to regenerate the secret and see it.
@ThomasWaldmann commented on GitHub (Jul 2, 2016):
That it generates a new secret when invoked is documented and IIRC also pointed out on the user interface.
It can not show the configurations without access to a secret as the secret is part of the configurations.
So, just don't keep that view open?
@mvglasow commented on GitHub (Jul 3, 2016):
There is a hint when you show the configuration for an existing server, but not when you reach that page by adding a new server. Also, I'm not aware of an easy way to view the configuration parameters without resetting the secret.
Wouldn't it be technically possible to show all configuration data other than the secret? I'd be surprised if there was no way to do this... and it'd still come in handy when something goes wrong and a user wants to rule out any other errors, such as mis-typed URLs, user names and the like...
@ThomasWaldmann commented on GitHub (Apr 4, 2017):
see also #303.
yes, we could show a incomplete (without password) configuration without generating a new password.
@kellytrinh commented on GitHub (Apr 22, 2020):
Just did a writeup on feature request and before hitting send I see 'similar issues' and turns out already asked for (and given in this thread the link to #303 is asking for same thing) - it seems like a common ask to get config instructions seperate from password/private secret.... Hope the devs can consider as it would make things easier.