Closed notbasetwo closed 1 year ago
evrifaessa
commented
1 year ago I’m all in for this. Given the known security vulnerabilities, nobody should be encouraged to pass their root credentials.
An API key with minimal permissions should do the job.
Anuril
commented
1 year ago I have fixed this in the library and provided a PR to the library upstream. Someone else also implemented it and created a PR(https://github.com/CpuID/pve2-api-php-client/pull/44) his implementation might be better than mine. Sadly the patch wasn't accepted yet. In Version 0.1.0 though, this will already be shipped.
Anuril
commented
1 year ago Meanwhile, I've rewritten the Library to use symphony. The authentication has been rewritten completely in #29. Details will follow. As Module 0.0.5 isn't in the extension store anymore and should not be used anyway, I'm closing this issue as resolved.
Removing the username/password authentication would be ideal, but would require replacing the library. A fork which uses API keys is available here (but perhaps an in-house one would be better): https://github.com/notbasetwo/pve2-api-php-client.
The UI also mentions "root username/root password". We shouldn't be encouraging people to store their root information in FB.