Since the introduction of the xmlrpc token we can change wikisync to not require a username/password but to require login to the remote wiki instance. This can work as follows:
- User logs on to the local wiki
- User enters the remote wiki as normal, but no user/pass combination for it
local wiki redirects to http://remote-wiki/?action=SyncPages&gettoken=1&response-url=http://local-wiki/...
- remote wiki asks for login if necessary
remote wiki asks for permission, if denied then remote wiki simply redirects back to the response URL; if permission is granted then remote wiki generates and xmlRCP login token and passes it back to the originating wiki by appending &token=<token> to the response URL and redirecting to the resulting URL
Benefits
- no username/password is passed around
Drawbacks
- rogue local wiki could phish password for remote wiki; that, however, isn't likely since the local wiki is likely to be on localhost or such for wikisync to make sense
Other info
- as previously, only the remote wiki needs to be accessible, local wiki can still be localhost or such since browser is used to exchange data