lirmm
Undocumented REST API connexion
It is possible to connect a client with username/password in the REST API with :
from coreapi import Client, auth
url='http://127.0.0.1:8000/api/schema'
username='toto'
password='secret123'
client = Client(
auth=auth.BasicAuthentication(
username=username,
password=password))
document = client.get(url)
But this method is not in the documentation.
As the login/password are sent without encryption, this is an unsecured way to get authenticated to the server through the API. We recommend not to do so. You would rather authenticate using a token.
If the web site is in HTTPS, it should be OK. The encryption should be ensure by the security level of the protocol.
Moreover, if sending username and password in plain text is a problem, the HTML connection page is also unsecured. It's a simple form without any security part. I don't see any JS script. It sending a value for csrfmiddlewaretoken (security against cross-site request forgery), id_username (username), id_password (password) and next (page to open after the connection)
(maybe create another issue for this ?)
If the web site is in HTTPS, it should be OK. The encryption should be ensure by the security level of the protocol.
Moreover, if sending username and password in plain text is a problem, the HTML connection page is also unsecured. It's a simple form without any security part. I don't see any JS script. It sending a value for
csrfmiddlewaretoken(security against cross-site request forgery),id_username(username),id_password(password) andnext(page to open after the connection) (maybe create another issue for this ?)
Well, HTTPS should be set everywhere, I completely agree.
