Sharing login / password inadvertently

[aubertc]

Cf. https://github.com/popbr/data-integration/commit/749a3f0166792ef464694df4bd9248706f4c1367#r88647822

[aubertc]

Note that our github action now uses the pair testuser / password, and does not read the login / password from the xml file.

[MNSleeper]

This would mean we don't need to include the LoginInfo.xml document? If not, I might suggest keeping it for users that, for some reason, want their own root to use. To remedy accidental password, include a !*/LoginInfo.xml set of lines in the gitignore. Thoughts?

[MNSleeper]

I suppose I should ask if the Github action affects what users have to do/require any additional coding on my part. I'm not familiar with what a Github action does, but it reads like its only what Github does to run and compile a program.

[aubertc]

This would mean we don't need to include the LoginInfo.xml document? If not, I might suggest keeping it for users that, for some reason, want their own root to use. To remedy accidental password, include a !*/LoginInfo.xml set of lines in the gitignore. Thoughts?

One one hand, having this file is convenient, but not adding it in the repo. puts the burden of having to create it on the user. I've looked around and there are tons of ways of dealing with that, but most of them are complex and un-necessary secure: we are "simply" going to store public data and uses mysql as a tool, nothing in the database is secure.

After reading some, I like the solution posted here. We could do something like :

• Add a file Template-LoginInfo.xml that contains the default values (testuser and password, so just rename LoginInfo.xml),
• Have this file tracked by git,
• In the ReadMe, instruct the user to
  • Copy this file and rename it to LoginInfo.xml
  • Insert their actual credentials in there, following the template,
• In the applications (both actual application and test), have the program
  • Check if there is a LoginInfo.xml, if yes, use the credentials in it,
  • If there isn't any, maybe display a small warning "I will use the default credentials", and use the information in Template-LoginInfo.xml

This way, you and I will be able to edit the information in the copy of the file without being tracked, the other users will have a way of inserting their credential without being tracked, and github will be able to use the default credentials.

Thoughts? Do you feel like implementing that? I can give it a go if you prefer to focus on matching.

[aubertc]

I suppose I should ask if the Github action affects what users have to do/require any additional coding on my part. I'm not familiar with what a Github action does, but it reads like its only what Github does to run and compile a program.

You can ignore it for now, and we can chat about it later on.

[MNSleeper]

I have ensured that the logininfo file is deleted from the repo, ignored by the gitignore, and not able to be added. Closing the issue now.