Is there any way for strophe connection to prohibit viewing plaintext passwords?

Question

Is there any way for strophe connection to prohibit viewing plaintext passwords?

f987002856 opened this issue 3 years ago · comments

I use the following method to strophe to connect to the XMPP server, but when I use console.log(connection), I can see the clear text password of the login. You can also see the plaintext password at debug breakpoints.

var BOSH_SERVICE = 'http://127.0.0.1:7070/http-bind/';
var connection = null;
var connected = false;
var jid = "";
function onConnect(status) {
    console.log(status)
    if (status == Strophe.Status.CONNFAIL) {
        alert("fail！");
    } else if (status == Strophe.Status.AUTHFAIL) {
        alert("fail！");
    } else if (status == Strophe.Status.DISCONNECTED) {
        alert("fail！");
        connected = false;
    } else if (status == Strophe.Status.CONNECTED) {
        alert("success！");
        connected = true;
        
        connection.addHandler(onMessage, null, 'message', null, null, null);
 
        connection.send($pres().tree());
    }
    // this connection can see the plaintext password;
    console.log(connection);
    
}
...

$(document).ready(function() {

    $('#btn-login').click(function() {
        if(!connected) {
            connection = new Strophe.Connection(BOSH_SERVICE);
            connection.connect($("#input-jid").val(), $("#input-pwd").val(), onConnect);
            jid = $("#input-jid").val();
        }
    });
    ...
});

The breakpoint debugging picture is as follows:

JC Brand · Answer 1 · Wed Aug 25 2021 02:33:32 GMT+0800 (China Standard Time)

If you step through a debugger in any client-side code you'll likely be able to access sensitive information. There's not much that can be done about that.

If you are concerned that other malicious code might read this data, then you can use closures to keep the Strophe data encapsulated outside of the global scope and away from other code.