Password saved in plain text in mongo db

[GAstraeus]

Going into the mongodb shell and showing the setting collection reveals the authCredentials password in plain text

Reproduction

Used commands:
mongosh
use pisignage-server-dev
db.settings.find()

Sample Output Showing the password in plaintext

[
  {
    _id: ObjectId("object-id"),
    authCredentials: { user: 'admin-username', password: 'ADMIN-PASSWORD-IN-PAINTEXT' },
    installation: 'pi-signage-username',
    newLayoutsEnable: false,
    systemMessagesHide: true,
    forceTvOn: false,
    disableCECPowerCheck: false,
    defaultDuration: 10,
    language: 'en',
    sshPassword: null,
    enableLog: false,
    hideWelcomeNotice: true,
    reportIntervalMinutes: 5,
    enableYoutubeDl: true,
    __v: 0
  }
]

Possible In scope:

• Add measures to salt and hash the password before it gets saved to db
• Change auth check to handle checking against hashed password
• Test for functionality of authentication, and setting new password

Resources Found

• Found an example that may be adaptable to this use case
  • https://coderrocketfuel.com/article/store-passwords-in-mongodb-with-node-js-mongoose-and-bcrypt

[rmscode]

Approaching 2 years and this hasn't been addressed yet?

[colloqi]

Hi, this is used by players in the internal network and http auth. We are not planning to solve this as of now.

[ebandur-fshark]

Would love for this to be addressed. At least more security added for open-source servers. 2FA, SSO, different password for players than server, no plain text on players and MongoDB, etc.