REST: Remove Use of Password #3641
Labels
S:proposal accepted
T: API Breaking
Breaking changes that impact APIs and the SDK only (not state machine).
T: Security
Milestone
Summary
The
password
field in thebase_req
of POST requests should be removed entirely or heavily documented as unsafe.Problem Definition
Even with a REST client sitting behind a secure network layer/proxy, it is not advisable to accept key passwords in plain text such as this.
Proposal
We already have generate only and tx broadcast support, so we should enforce (encourage) clients to sign the txs before sending to a specific node.
In other words, we:
password
field (thus removing the dependency for Keybase)/cc @cosmos/cosmos-ui
ref: #3560
For Admin Use
The text was updated successfully, but these errors were encountered: