I just got my food computer connected to the hosted UI, and realized that I don’t have any login information or passwords.
- When docker installed Couchdb, there were no passwords set for the database (that I am aware of)
- The UI connects to Couch via port 5984. Again no login or password required.
It looks like anyone with a UID to any food computer could connect to Couch, and not only see all the data but potentially change any of it.
Is the only security the obscurity of how few food computers are running in the wild, and that OpenAg is not making information about the current systems hooked to the UI public?
This looks like a big security hole. I can live with it for now, but I would like to see this addressed in the future architecture.