Security issue!

[Nedrapter]

The API personal token is visible to all players if they check the module's settings!

[eXaminator]

I will look into this and consider whether it is feasible to make the API key a user setting instead. It should be possible given that currently only the GM can interact with Kanka directly.

[Nedrapter]

Thank you! If it's possible for users to put their own key use Kanka according to their access, that'd be great!

[eXaminator]

There would be no use for players to enter their keys because they can only see the imported documents in foundry. There is no way for players to interact with Kanka through this module as of now (and I don't know if I'll ever add those features that would allow it).

[Nedrapter]

I see :( In that case, at least we should hide the admin token from the players' settings.

[eXaminator]

I just quickly checked this issue.

It seems to me, that players don't actually have access to world settings in the UI right now. Obviously they CAN access the key via the console. Only trusted GMs have access to world settings as far as I can see, unless you change the actual permissions for that:

So did you change the setting or are you just concerned that players might access the setting via the console?

The reason I ask is, that I have to weigh the security aspect here vs. the UX aspect (having set the token once without having to set it on every device you use to access your world).

[Nedrapter]

I did have this setting changed, although I can't remember why... it's been a long time. (I'm not even sure what settings does it allow people to modify and what they can modify anyway) As for the console, I think people who know how to abuse a token, will probably know how to find it in the console too. Personally, I'd be in favor of more security over some convenience, as I have so many hours of work in Kanka to build a complete Homebrew world and I only access from one device 99% of the time.