Closed vortex-5 closed 4 years ago
Great! As I said in the previous article, our goal is just to prevent many snooping eyes from "accidentally" viewing these information. While it may be just "perceived" security, many hackers may not know that.
Currently being done on a testing branch will be released once I'm satisfied with stability.
Pre-release version is now up for testing.
Add a /jffs/setpassword.sh that will take a user's password and generate a password.js hash file. The prompt should indicate that setting a password of empty will clear the password.js file. It should work similar to how the passwd utility works setpassword.sh should bring up a basic password prompt if possible the password will not be visible while it is being typed the prompt should also in say (leave the password empty to clear the password prompt).
The hash file will be used to verify the typed in password.
The main UI will then be changed to prompt for password before showing the data with an option to "remember this device for 30 days"
If no has file is present the bwmon.js script should function as it does now. If password.js is found the script will first check if an existing password has been stored in a cookie from before. If it has verification with the hashed password will be attempted if it passes the data will be presented. On failure the cookie password will be cleared and the user will be required to enter the password again.
There will not be a failure prompt the password field will clear to empty on failure as currently the only indicator of password failure.
Note this is not true security since we are not preventing the data from being available we are just preventing casual snooping from knowing the URL this is no substitute for actual security our outstanding recommendations to not forward this UI on the internet still stand.