Nightscout token in SHA1 really necessary?

[timoschlueter]

I want to analyze the SHA1 requirement of the Nightscout token. Some users are confused about the hashing of the token. In my instance, I don't hash the token and the plugin still works. Maybe we should update the documentation again. The SHA1 requirement was introduces in PR https://github.com/timoschlueter/nightscout-librelink-up/pull/21. @HansKre since I don't use Heroku: is the hashing something that is necessary on Heroku deployments? It does not seem to be required on local/docker deployments.

[HansKre]

Hi @timoschlueter, yes, at least for me, during my testing it wasn't working without hashing even locally. Even, if you look at networking/http-traffic of the Nightscout-Website, the token is hashed. I was confused myself and then I was reading through their docs and they were saying that token has to be hashed. I didn't save the link though, but if necessary, I might try finding it again.

[timoschlueter]

Very interesting! I will look deeper into this. I am confused that it works for me with the clear text token then. If we find out what's going on we can either update the doc or make the plugin smart enough to hash the token internally If necessary so that users don't have to bother with the hashing themselves. :)

[HansKre]

Yes, agree. Unfortunately, I didn't find that doc on the quick, only this one: https://nightscout.github.io/nightscout/ifttt/ The one doc that I have in mind though was specifically mentioning that hashing of API-tokens is a best practice and security precaution, therefore it would kind of defeat that if we did it in the code. But I guess, it's not such a super-critical use case and could be done anyways 😄

[HansKre]

@timoschlueter I found the doc that I was looking for. If you go here: Developers: API authorization

There, it says: 'See this page for how to authenticate your app in the API calls.'

If you open that link, you'll find:

Before you can use the API you need to set API_SECRET in your server's Config Variables to a secure password of your choosing. The API converts the API_SECRET into a SHA1 hash at runtime.

To authenticate with the API your app needs to send the same API_SECRET password as a SHA1 Hash in the HTTP Headers as API-SECRET (note the underscore on the server, and dash in the HTTP Headers on your client app). You may test to confirm your API_SECRET is handshaking properly using a REST client to point to this endpoint on your Nightscout server.