Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Let me get this straight. Passwords, including the password of a domain admin, are hardcoded as plain text in client side JavaScript files. Surely, I must be reading this wrong?


Reading it wrong. Any application needs to use secrets, it's up to the developer to pass them in properly. For example, you can use environmental variables, command line args when running the process, or a config file. This isn't a client-side library.


Yeah you're reading it wrong. This is for node so it'd never be client side, and I'm sure the pw examples are in plaintext just for simplicity in the README.


The authors are even aware of this! The admin password in their first example is "howinsecure".


A recent shared secret, I defaulted to "not very secure" for local dev/testing, but uses an environment variable in practice.


Thank you for the clarification.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: