10 Jan
2015
10 Jan
'15
4:05 a.m.
On Jan 10, 2015, at 10:58 AM, Andrew Stuart wrote:
I’m aware that it’s not the actual cleartext password.
From a security perspective should even salted and hashed passwords should stay behind the API or might there be a need for something on the other side of the API to access that field?
Keeping in mind that the core's REST API is a privileged API, only to be exposed over localhost, it is intended to make the hashed password field available. For a public facing proxy, I would expect this field to be filtered out.
Cheers, -Barry