Password sent in clear text

[F00ker]

On every REST call the username and password are sent in clear text, meaning the demo servers access logs are filled with login combos.

The API supports password encryption (using enc:)

And any shared jamstash.

[Hyzual]

Hi,

I'm not sure what you're suggesting, we do use 'enc:' when sending passwords. Anyway, we don't have many options since Subsonic requests username and passwords for every request. Subsonic also supports HTTP Basic Authentication, I haven't tried implementing in in Jamstash yet, do you think it could solve this problem ?

[F00ker]

Hi,

My access logs show a clear text password: GET /rest/getMusicFolders.view?c=Jamstash&callback=angular.callbacks._t&f=jsonp&p=cleartext&u=cleartext&v=1.6.0

I'm not sure if basic HTTP auth would change all that much on the encryption point of view but it should slightly lighten the server load.

[Hyzual]

To be precise we encrypt the password when saving it, in the settings. Then we send what we saved as-is. Maybe try entering your password and saving again ?

Yes, I didn't think basic auth would improve password encryption either. I'm putting it aside for now as there are other things that need improvements, in the meantime feel free to contribute a pull request :).