Hey Nick (@knolleary),
The username seems quite easy, but the password content is not clear to me ...
This is the content of the configNode.credentials on the client-side (i.e. in the config screen):
-
When I neither change the username nor the password, then credentials are undefined.
-
When I only change the username to 'xxxx', then the credentials contain only the new username:
The password is not included, but the boolean shows a password is available (at the server-side). -
When I change the password to 'xxxx', then the credentials contain only the new password:
-
When I change both username and password, then the credentials contain both values.
-
When I append 'xxxx' to the original password, then the credentials contain a constant
__PWDR___(representing the password which is only known on the server side) combined with my newly added characters:
Could still manage this one: when I send it to the server, I could replace the constant value by the real password value. -
But when I replace a few characters of the original password by 'xx', then a part of the constant value will be replaced by my new characters:
I have no clue how I could determine which part of the real original password is remained. Indeed if I'm not mistaken, the constant value is always__PWDR___, undependent of the length of my real original password. Which is of course great from a security perspective, but not for me ...
I see that other nodes (like mqtt) are also dealing with the constant value, but I don't see at first sight how to handle partial replacements of the original password...
Do you have any other tips in your big magic box?
