Security: FEATURE REMOVAL: Remove all plain text password logic and ui (#4178)

This will be a breaking change for some people.  

We removed all internal password control logic.  If this affects you, you have two options:

1. Use a plugin for authentication and use session based pad access (recommended).
1. Use a plugin for password setting.

The reasoning for removing this feature is to reduce the overall security footprint of Etherpad.  It is unnecessary and cumbersome to keep this feature and with the thousands of available authentication methods available in the world our focus should be on supporting those and allowing more granual access based on their implementations (instead of half assed baking our own).

src/static/css/pad/loadingbox.css

@@ -10,10 +10,6 @@
   z-index: 100;
 }
 
-#editorloadingbox .passForm{
-  padding:10px;
-}
-
 #editorloadingbox input{
   padding:10px;
 }
@@ -22,6 +18,6 @@
   padding:10px;
 }
 
-#passwordRequired, #permissionDenied, #wrongPassword, #noCookie {
+#permissionDenied, #noCookie {
   display:none;
-}
+}

src/static/js/pad.js

@@ -126,15 +126,6 @@ function getUrlVars()
   return vars;
 }
 
-function savePassword()
-{
-  //set the password cookie
-  Cookies.set('password', $('#passwordinput').val(), {path: document.location.pathname});
-  //reload
-  document.location=document.location;
-  return false;
-}
-
 function sendClientReady(isReconnect, messageType)
 {
   messageType = typeof messageType !== 'undefined' ? messageType : 'CLIENT_READY';
@@ -160,7 +151,6 @@ function sendClientReady(isReconnect, messageType)
     type: messageType,
     padId: padId,
     sessionID: Cookies.get('sessionID'),
-    password: Cookies.get('password'),
     token: token,
     protocolVersion: 2
   };
@@ -225,10 +215,6 @@ function handshake()
     //the access was not granted, give the user a message
     if(obj.accessStatus)
     {
-      if(!receivedClientVars){
-        $('.passForm').submit(require(module.id).savePassword);
-      }
-
       if(obj.accessStatus == "deny")
       {
         $('#loading').hide();
@@ -241,19 +227,6 @@ function handshake()
           $("#editorloadingbox").show();
         }
       }
-      else if(obj.accessStatus == "needPassword")
-      {
-        $('#loading').hide();
-        $('#passwordRequired').show();
-        $("#passwordinput").focus();
-      }
-      else if(obj.accessStatus == "wrongPassword")
-      {
-        $('#loading').hide();
-        $('#wrongPassword').show();
-        $('#passwordRequired').show();
-        $("#passwordinput").focus();
-      }
     }
 
     //if we haven't recieved the clientVars yet, then this message should it be
@@ -954,7 +927,6 @@ exports.settings = settings;
 exports.randomString = randomString;
 exports.getParams = getParams;
 exports.getUrlVars = getUrlVars;
-exports.savePassword = savePassword;
 exports.handshake = handshake;
 exports.pad = pad;
 exports.init = init;

src/static/js/timeslider.js

@@ -113,7 +113,6 @@ function sendSocketMsg(type, data)
     padId,
     token,
     sessionID: Cookies.get('sessionID'),
-    password: Cookies.get('password'),
     protocolVersion: 2,
   });
 }

src/static/tests.html

@@ -161,7 +161,5 @@
   <div class="define">getReadOnlyID(padID)</div>
   <div class="define">setPublicStatus(padID,publicStatus)</div>
   <div class="define">getPublicStatus(padID)</div>
-  <div class="define">setPassword(padID,password)</div>
-  <div class="define">isPasswordProtected(padID)</div>
 </body>
 </html>