I don't really know why you did this implementation but it's a critical security issue to share the access credentials of the database with the client (browser). You could just pass the datasource ID or name and retrieve the access data from the backend store. You may argue that the used DB user should have only read access or limit it to a specific IP, well yes this reduces the danger of this issue but doesn't eliminate it, and it should be fixed ASAP to make this plugin reliable.
Hi,
I don't really know why you did this implementation but it's a critical security issue to share the access credentials of the database with the client (browser). You could just pass the datasource ID or name and retrieve the access data from the backend store. You may argue that the used DB user should have only read access or limit it to a specific IP, well yes this reduces the danger of this issue but doesn't eliminate it, and it should be fixed ASAP to make this plugin reliable.