Sitewide credentials for DataCite or Crossref plugins

Hi everyone,

a colleague of mine noticed a somewhat strange circumstance and perhaps a security issue concerning the management of credentials for e.g. the “DataCite Export/Registration Plugin”, at least in our instance. (I guess the same applies for Crossref and other plugins under “Tools”.)

I know that these credentials can be journal specific and hence journal managers etc. must have access to the plugin configuration (and they are most likely to know the credentials anyway).

But: We have an OJS 3 instance with several journals and we use the same DataCite credentials for all journals. Now, anyone with permission level “Journal Manager” can see the plugin configuration and while the password is obscured at first sight…
grafik

… it’s perfectly readable in plain text when using your ordinary HTML inspection tools.
Bildschirmfoto_2021-03-16_14-44-45

Perhaps I’m missing something here, but doesn’t that mean, we cannot keep those (site-wide) credentials secret from anyone with “just” journal manager permission level?

So my first question would be: Is the way we handle these credentials wrong and, if so, how can we do it properly? Can we modify the “Journal Manager” permission level (or create our own) so as to forbid access to the plugin config?

If this is not an issue with us, however, we’d like to ask if and how this problem could be tackled. Could the privilege system be made more granular in this regard? Or could the plugin(s) provide a mechanism similar to the ORCID plugin, where server administrators can include the credentials in config.inc.php for all journals while hiding the client secret in the web frontend?

grafik

I’d be interested in and grateful for your thoughts on this.

Best regards
Dennis

Hi @dennmuel,

I’m going to flag this for our developers, but to help provide more context, could you provide the following information:

  1. The version of Ojs you are using
  2. The version of the plugin(s) you are using (you should be able to identify this in the plugin gallery, or in the version.xml file in the directory of the plugin on your server, if installed manually.

-Roger

Hi @rcgillis,

thanks for your quick reply. I observed this behavior in OJS 3.3.0-3 + DataCite 2.0.0.0 as well as OJS 3.2.1-0 + DataCite 2.0.0.0.

Best regards
Dennis

Hi @dennmuel,

I think you raise a good point. Another approach that I have seen is situations where a user can enter in new credentials but can not view existing ones (GitHub does this with API keys, for example, you can generate a new one and see it then, but after that it’s hidden and you can only generate a new one).

I’ve filed an issue and you can follow along there for progress. We’d certainly be open to a community contribution to address this issue. :wink:

1 Like