The password generator + validator should exclude certain characters from the character sets to avoid confusion and potential bugs, e.g.:capital i and lower l are confusing
capital o and zero are confusing
@ and : may ruin passwords in URL
As none of the values are per se incorrect it may make sense to just remove them from the generator but still leave them as "valid" values.
Typically any input should be trimmed, it makes sense to make this a default action which can be explicitly disabled. Instead of the current approach where it needs to be enabled explicitly.
When distributing plugins they often require static data to be setup to function correctly. While this can be handled in the postSetup function, it isn'/files/ in its storage directory which are loaded automagically.
So far to big issues arise:
The order in which the data is loaded is crucial. Mostly this is the order of the modules which is typically dictated by their references. However self-referencing modules also require the order of the individual entries to be correct.
...
Add a configuration option to "store"/files/ are used in the session. Currently it always store this information which clutters the session and is other than being displayed in the backend completely useless.
Cross-Site Request Forgery (CSRF) are request to the server initiated from other websites. Allowing this is potentially dangerous as the request piggybacks on the existing session on the server if it's ran from the same browser (imagine 2 tabs, 1 logged in on the server, the other with a malicious site that sends a request to the server).
The most suitable way to prevent this seems to be Synchronizer Token Pattern
(STP) which effectively requires a unique token to be sent...