https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=27305
--- Comment #6 from David Cook <[email protected]> --- (In reply to Nico Bako from comment #4) > My library is Huntsville Madison County Public Library. It looks like Bywater Solutions is probably the vendor for that one. Hopefully Huntsville get in touch with them, as it would be an interesting feature. > What I would really like to see, to help make the authentication more > secure, is to have another way other than providing user name and password > in the url. Many sites provide the ability to create an API token which can > be used for authentication instead. Something like that would be great, but > probably outside the scope of this issue. I'm not 100% sure what you mean by "API token" in this case. Koha already uses short-lived API tokens using OAuth2 for its HTTP API. I'm guessing you might mean something like an "API key" although even then you'd want to send it via a HTTP header or as POST data for security purposes. However, for your use case, you really do need some kind of generic authentication token that can be put into a URL parameter. It would be interesting to create "read tokens" with minimal fine-grained authorization. For instance, a read token that can only access your current due dates. That way someone can't re-use that token to review your past reading history, access your personal information, etc. > Yeah, I know it's not secure to pass user name and password in a url, but I > only use this url on my Google calendar, and if my Google account gets > hacked, then I have other more serious stuff to worry about... I understand that perspective, but the thing is your Google account doesn't have to be hacked. I don't intimately know Google's internal security practices, but storing a password in plain text that presumably any Google employee could read is not great. Or storing a password in plain text in the event that say all Google calendar links get leaked/dumped without any accounts being breached per se. But since this is a case of one person exploiting a quirk in the system... it's probably not a huge drama. And it is one that I hope will be closed in the future ;). -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
