On Jan 10, 2015, at 10:58 AM, Andrew Stuart wrote: >I’m aware that it’s not the actual cleartext password. > >From a security perspective should even salted and hashed passwords should >stay behind the API or might there be a need for something on the other side >of the API to access that field?
Keeping in mind that the core's REST API is a privileged API, only to be exposed over localhost, it is intended to make the hashed password field available. For a public facing proxy, I would expect this field to be filtered out. Cheers, -Barry _______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
