Security issue with LRS database username and password

[lastmjs]

So I've been looking at xAPI.js, and I've set some breakpoints on the configuration of the xAPIWrapper. It looks like the configuration is authenticating client-side with our LRS's username and password. Isn't that a security risk? I would love some light to be shed on this, because it seems like our credentials are being passed to every user.

[lastmjs]

It is a security issue. LRS credentials (username and password) are exposed to each client. This should probably be addressed. See this conversation: adlnet/xAPIWrapper#66