When the system is started for the first time the system administrator has to take notice of the randomly generated passwords for the system. This happens using the initialization website (#4 (closed)). That page is currently not protected so everyone on the network could see the generated passwords. In order to prevent unauthorized from seeing this sensitive data the page should be protected with a password.
Reasons
- highly valuable data is publicly exposed
- everyone on the network could see system's root passwords
New Features
What feature(s) did you add?
Desired order of events:
- user opens initialization page
- init page prompts for password
- password is shown on the device's display
- user reads the password off the device
- user enters the password on the init page
- init page shows the system passwords
How did you implement it/them?
When a user enters the initialization page:
- generate an authentication code
- show the authentication code on the display
- store the authentication code in the user's session
- when an authentication code is entered check if it matches the one in the user's session
- if it does: the user had access to the device and is (probably) an administrator -> show the initialization page
- if it doesn't: tell the user that the code is wrong and allow him to generate a new one
Overview of the commits
The commits are a little overarching on the points, so here's the list of the commits with a little explaination
- protect initialization page with a code shown on the display [4fa3fd4e]
- only show "invalid auth_code"-message if it is really invalid, otherwise reset session and generate new code [0fe7b71d]
- styled init page authentication process [9a03d4a3]
Preview
Login
Wrong passcode
Page displayed after correct passcode:
Thanks for reading
Jan, for PCSG Developers
Posted on Utopian.io - Rewarding Open Source Contributors