Open dappelt opened 6 years ago
Turns out that the BTP auth code from ilp-plugin-mini-accounts is used. So the account address is still the hashed auth token, which is not great, but at least the readme is specific about using strong passwords.
A solution would be if the server rejects trivial passwords. Proposal here: https://github.com/interledgerjs/ilp-plugin-mini-accounts/blob/da-check-password/index.js#L15-L24
Follow up to this issue I created on the old repo.
It looks like you took out BTP authentication completely. Now it seems to be enough that a BTP client proves that he opened a paychan to the server, right?