seansfkelley
commented
3 years ago Unfortunately, yes, but my hands are tied here: https://github.com/seansfkelley/synology-download-manager/blob/master/FAQ.md#are-my-username-and-password-stored-securely
Closed brainchild0 closed 3 years ago
seansfkelley
commented
3 years ago Unfortunately, yes, but my hands are tied here: https://github.com/seansfkelley/synology-download-manager/blob/master/FAQ.md#are-my-username-and-password-stored-securely
brainchild0
commented
3 years ago Yes, I agree, but there is at least one other option that some extensions have adopted, that being to require per session password entry. In some extension designs storing the password locally is an option but not a requirement.
seansfkelley
commented
3 years ago True. While that feature is possible, I'd rather not introduce the complexity and weird interactions it'll have with other features (like finished-task notifications, which run in the background).
brainchild0
commented
3 years ago I understand not wanting to implement it, but not the matter about complexity. Can you display the status information if the user has opened as session by providing a password, but otherwise simply show a password prompt?
By the way, does DSM offer any session keys, which may be persisted across browser uses?
seansfkelley
commented
3 years ago There's a lot of overlap in what you're asking for with #7, so these are helpful questions.
The extension works the way it does now -- with stored creds and no "remember password" checkbox -- because:
This last point is exacerbated by the lack of a software-only test environment, meaning that every authentication quirk, timeout or undocumented behavior has to be manually investigated and tested by: creating test accounts, fiddling with curl requests, waiting 10 seconds for DSM to render the login page, trying to guess how the API is supposed to work because documentation is poor, waiting a day to see if the session does or does not time out... the list goes on.
By the way, does DSM offer any session keys, which may be persisted across browser uses?
Generally yes, though I chose to persist the credentials themselves for reasons noted above. That said, this was not the case until recently (0.10.0), as I permitted some old versions of DSM to use cookie authentication for compatibility reasons.
Can you display the status information if the user has opened as session by providing a password, but otherwise simply show a password prompt?
The interaction between right-click-add-task and an invalid session is unpleasant without the auto-login enabled by storing credentials.
I don't want to throw a dialog up in the user's face within the page, both because I'm trying to minimize in-page Javascript as a design goal (simpler to maintain, fewer interactions with unknown pages leading to breakages, simpler UX) and because it's annoying. I'm not allowed to programmatically open the popup to ask for a password for, I guess, security or UX reasons.
I think my only choices are to either disable that feature if you don't save the password, hack in some kind of flow to get you to provide the password (a notification asking you to open the popup?), or open the can of worms around dealing with in-page Javascript so I can render a prompt.
brainchild0
commented
3 years ago It seem that much of your discussion, unless I am mistaken, deals with the concern of losing a remote session during a browser session. This outcome, of course, may be averted simply by storing the password in memory, rather than also persistently, which was the subject of the original inquiry.
seansfkelley
commented
3 years ago Oh, yeah, in retrospect that is obvious. I've opened #190 as a replacement for this issue with that specific request.
Currently the extension maintains the ability to gain authentication to DSM across browser sessions. Are passwords stored, and if so, as plain text?