Security: FEATURE REMOVAL: Remove all plain text password logic and ui (#4178)

This will be a breaking change for some people. We removed all internal password control logic. If this affects you, you have two options: 1. Use a plugin for authentication and use session based pad access (recommended). 1. Use a plugin for password setting. The reasoning for removing this feature is to reduce the overall security footprint of Etherpad. It is unnecessary and cumbersome to keep this feature and with the thousands of available authentication methods available in the world our focus should be on supporting those and allowing more granual access based on their implementations (instead of half assed baking our own).
2025-04-27 19:06:15 -04:00 · 2020-10-07 13:43:54 +01:00 · 2020-10-07 13:43:54 +01:00 · 66df0a572f
commit 66df0a572f
parent 45bee54aa0
24 changed files with 23 additions and 246 deletions
--- a/doc/api/hooks_server-side.md
+++ b/doc/api/hooks_server-side.md
@ -139,9 +139,8 @@ Called from: src/node/db/SecurityManager.js
 Things in context:

 1. padID - the pad the user wants to access
-2. password - the password the user has given to access the pad
-3. token - the token of the author
-4. sessionCookie - the session the use has
+2. token - the token of the author
+3. sessionCookie - the session the use has

 This hook gets called when the access to the concrete pad is being checked. Return `false` to deny access.

--- a/doc/api/http_api.md
+++ b/doc/api/http_api.md
@ -581,24 +581,6 @@ return true of false
  * `{code: 0, message:"ok", data: {publicStatus: true}}`
  * `{code: 1, message:"padID does not exist", data: null}`

-#### setPassword(padID, password)
- * API >= 1
-
-returns ok or an error message
-
-*Example returns:*
-  * `{code: 0, message:"ok", data: null}`
-  * `{code: 1, message:"padID does not exist", data: null}`
-
-#### isPasswordProtected(padID)
- * API >= 1
-
-returns true or false
-
-*Example returns:*
-  * `{code: 0, message:"ok", data: {passwordProtection: true}}`
-  * `{code: 1, message:"padID does not exist", data: null}`
-
 #### listAuthorsOfPad(padID)
 * API >= 1

--- a/doc/docker.md
+++ b/doc/docker.md
@ -171,7 +171,6 @@ For the editor container, you can also make it full width by adding `full-width-
 | `SUPPRESS_ERRORS_IN_PAD_TEXT`     | Should we suppress errors from being visible in the default Pad Text?                                                                                                                                  | `false`            |
 | `REQUIRE_SESSION`                 | If this option is enabled, a user must have a session to access pads. This effectively allows only group pads to be accessed.                                                                          | `false`            |
 | `EDIT_ONLY`                       | Users may edit pads but not create new ones. Pad creation is only via the API. This applies both to group pads and regular pads.                                                                       | `false`            |
-| `SESSION_NO_PASSWORD`             | If set to true, those users who have a valid session will automatically be granted access to password protected pads.                                                                                  | `false`            |
 | `MINIFY`                          | If true, all css & js will be minified before sending to the client. This will improve the loading performance massively, but makes it difficult to debug the javascript/css                           | `true`             |
 | `MAX_AGE`                         | How long may clients use served javascript code (in seconds)? Not setting this may cause problems during deployment. Set to 0 to disable caching.                                                      | `21600` (6 hours)  |
 | `ABIWORD`                         | Absolute path to the Abiword executable. Abiword is needed to get advanced import/export features of pads. Setting it to null disables Abiword and will only allow plain text and HTML import/exports. | `null`             |