Closed ghost closed 2 years ago
Which is why it is recommended to run HAP+ under an AAD App Proxy using Kerberos constrained delegation. HAP+ then maintains no username's or passwords. This project is also no longer in development.
If you wish to fix it please do a PR and fix.
HAP requires a valid username and password combination to connect to Active Directory so it can validate user logins and retrieve their files. Once the Administrator enters the password it is encrypted and salted using AES encryption, this is not safe for multiple reasons, most notably the fact that the key and salt are publicly exposed in the Git repository. Anyone who has access to the passwords essentially has them in plain text. You can easily just reverse engineer encryption. example