I've been reviewing Postgres nodes for a project.
I just noticed that the database user and password are both stored by default in the flows.json file and as raw text.
node-red-contrib-postgresql v=0.15.4
Method to check
Open flows.json file in a text editor
Search for "postgreSQLConfig"
{
"id": "20ee1ed37a85b563",
"type": "postgreSQLConfig",
"name": "",
"host": "XXXXXXXX",
"hostFieldType": "str",
"port": 5432,
"portFieldType": "num",
"database": "XXXXXXXX",
"databaseFieldType": "str",
"ssl": "false",
"sslFieldType": "bool",
"applicationName": "",
"applicationNameType": "str",
"max": 10,
"maxFieldType": "num",
"idle": 1000,
"idleFieldType": "num",
"connectionTimeout": 10000,
"connectionTimeoutFieldType": "num",
"user": "XXXXXXXX",
"userFieldType": "str",
"password": "XXXXXXXX,
"passwordFieldType": "str"
},
while I see that you can change this, surely the default shouldn't be for passwords to be stored in plain text?
I've been reviewing Postgres nodes for a project.
I just noticed that the database user and password are both stored by default in the flows.json file and as raw text.
node-red-contrib-postgresql v=0.15.4
Method to check
Open flows.json file in a text editor
Search for "postgreSQLConfig"
{
"id": "20ee1ed37a85b563",
"type": "postgreSQLConfig",
"name": "",
"host": "XXXXXXXX",
"hostFieldType": "str",
"port": 5432,
"portFieldType": "num",
"database": "XXXXXXXX",
"databaseFieldType": "str",
"ssl": "false",
"sslFieldType": "bool",
"applicationName": "",
"applicationNameType": "str",
"max": 10,
"maxFieldType": "num",
"idle": 1000,
"idleFieldType": "num",
"connectionTimeout": 10000,
"connectionTimeoutFieldType": "num",
"user": "XXXXXXXX",
"userFieldType": "str",
"password": "XXXXXXXX,
"passwordFieldType": "str"
},
while I see that you can change this, surely the default shouldn't be for passwords to be stored in plain text?