Need to fix a really questionable decision made when setting up the API -- currently expects plaintext passwords (even though passwords are properly hashed in the DB), passed through the URL no less.
Since sending a hash over HTTP ultimately isn't much better, we should probably investigate using API tokens of some kind. I'm not particular about how this gets done but I'd like to add the least interface cruft possible. We could add "generate an API token" to the Settings page, and add another column to the users table of the db which stores a randomly generated UUID, and it would then act like a password for API use. This is probably simpler than using OAuth because it doesn't break the current passing-strings-in-URLs method?
Need to fix a really questionable decision made when setting up the API -- currently expects plaintext passwords (even though passwords are properly hashed in the DB), passed through the URL no less.
Since sending a hash over HTTP ultimately isn't much better, we should probably investigate using API tokens of some kind. I'm not particular about how this gets done but I'd like to add the least interface cruft possible. We could add "generate an API token" to the Settings page, and add another column to the users table of the db which stores a randomly generated UUID, and it would then act like a password for API use. This is probably simpler than using OAuth because it doesn't break the current passing-strings-in-URLs method?