Hide the API Secret in a password field

[thebookins]

The Nightscout API Secret in Loop is visible in the unhashed form. Since NS Care Portal is quite powerful (e.g. for users of OpenAPS who set temp targets remotely) it would be nice if the API Secret text field was secure (dots for the characters). Also, the API Secret could be hashed and only the hashed version stored within Loop.

[Kdisimone]

There is a way for NS users to retrieve their hashed API already...we could also change the field to that entry. Although, it would have the downside of making people do something semi-technical (opening up a console view in a browser and finding their hashed API in the settings)

[trixing]

What's the security benefit here? In a browser you can just set the cookie to the right hashed value and get the same access as if you provide the cleartext password...

…

On Wed, Mar 22, 2017 at 2:39 AM, katie disimone ***@***.***> wrote: There is a way for NS users to retrieve their hashed API already...we could also change the field to that entry. Although, it would have the downside of making people do something semi-technical (opening up a console view in a browser and finding their hashed API in the settings) — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#407 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAE2ahVxsIGzA36aSsvJFc03VKpb6bxEks5roHvEgaJpZM4Mdl8g> .

-- Jan Dittmer <jdi@l4x.org>, http://l4x.org

[Kdisimone]

I will add a customization instruction to the Loopdocs to let people choose whether their API secret is displayed or not...easy change on this line

Loop/Loop/Models/ServiceAuthentication/NightscoutService.swift

Line 31 in a5bc15a

isSecret: false,

[thebookins]

Thanks Katie!

[Kdisimone]

#1142