Encrypt password
Issue #39
new
As mentioned in issue #28 , passwords are stored in plain text in the audit log, and thus anyone with admin access to the repository can see these credentials. Even if you scrub the audit log, you can also view this with right click -> Inspect in your web browser.
Is it possible to encrypt these passwords so they aren't in plain text? Another Bitbucket webbook "Stash Hook Mirror" has done this and stores a key within the database: https://github.com/ef-labs/stash-hook-mirror/blob/master/src/main/java/com/englishtown/bitbucket/hook/DefaultPasswordEncryptor.java
Even if still not safe from an attack within as you mentioned, it at least requires access to the database (which should be harder to get access to compared to repo admin).
Hi Michael,
Thank you very much for your feedback.
And yes, you're right. I saw the code from the mirror plugin too. I can't promise any time frame, but I'll definitely put it in, when I get to it. If you are in any hurry, pull requests are always welcome... ;-)
Best, Alex