Will Directory api store my password as plain text if I dont specify hashfunction value in request body?
Will Directory api store my password as plain text if I dont specify hashfunction value in request body . kindly tell me
If we check the docs for Manage users we can see how google wants us to use the User.insert method. As far as the password goes there are a few things we can add to the body of the request.
The password itself and the hashFunction that was used to create the password
"password": "new user password",
"hashFunction": "SHA-1",
"changePasswordAtNextLogin": false,
If we read further down in the docs we will find this line.
A password is required for new user accounts. If a hashFunction is specified, the password must be a valid hash key. For more information, see the API Reference.
So you must send a password, in clear text. Then Google will hash it on their end using what ever hashing method they choose. If you then do a user.get on the ner user created the hashFunction will be filled in and google will tell you which type of hash function they used.
You do have another option you can decide yourself which hash function you want to use. By sending hashFunction as part of your request. However you then must hash the password itself. If a hashFunction is specified, the password must be a valid hash key. This option may by some be considered more secure as you are not sending a clear text password to google for hashing.
So if you want to send it clear text just let google hasht it on their end. However if your have your own favoriate hash function (dont we all) then feel free to use that as long as its one of these apparently google only supports MD5, SHA1 and crypt
I have added an issue request 237333031 to have some clarifications added to the documentation.