TheGreatRefrigerator
commented
2 years ago Partly handled in https://github.com/GIScience/heigit-disaster-portal/commit/efaf0392b4e7fe9d9fb505cab1b5d8a4c8453522 which implements a more secure hashing algorithm (1-directional) to store secret hashes
currently secrets (API keys) are stored as hashes with a simple insecure algorithm (md5).
Only basic security through a Bearer token in the
AuthorizationHeader is implemented, which can easily be misused, as they can be identified in the requests a browser app makes.A proper user login using OAuth 2 (optionally using JWT as Bearer) should be applied to ensure secure and up to date access management.