Redmine

Hi All,

I am creating Node js application that requires authentication.
Since it will be cooperating with Redmine, I would like to use Redmine's logins and password for authentication.

So far I came up with this quick and temporary solution, the snippet of pseudo-code is as follows:

const server = http.createServer((req, res) => {
    if (!req.authorization)
    {
        res.statusCode = 401;
        res.setHeader('WWW-Authenticate', 'Basic realm="need login"');
        res.write("Use your redmine account to log in to the app");
        res.end();
        return;
    }

    var parts = req.authorization.split(' ');
    var credentials =  Buffer.from(parts[1], 'base64').toString()
      , index = credentials.indexOf(':');

    var USER = credentials.slice(0, index)
      , PASS = credentials.slice(index + 1);

    var cmdRes = execSync("curl -v -k  -H \"Content-Type: application/xml\" -X GET  -u ${USER}:${PASS} ${URL}/users/current.json");
    if (cmdRes.user) // OK
    else //FAILED

It works fine, however it has big flaw that credentials are visible plain text in the app.

Is there better way to do this? For example to call the Redmine's login window directly and use only the return code?
Or at least have the password encrypted and not available in the application.

Any ideas are welcomed and appreciated.

Tomek

Environment:
Redmine version 3.3.2.stable
Ruby version 2.1.10-p492 (2016-04-01) [x86_64-linux]
Rails version 4.2.7.1
Environment production
Database adapter Mysql2
SCM:
Subversion 1.7.14
Git 1.8.3.1
Filesystem
Redmine plugins:
redmine_custom_js 0.1.0
redmine_custom_workflows 0.1.5
redmine_language_change 0.1.0
redmine_workflow_hidden_fields 0.3.0