zaaath
commented
2 years ago @gragland let me know if you want to see this implemented. I might be able to work on it.
Open zaaath opened 2 years ago
zaaath
commented
2 years ago @gragland let me know if you want to see this implemented. I might be able to work on it.
gragland
commented
2 years ago Hey there, I'm not sure I understand the point of adding any kind of security here, as this is only meant to be used when prototyping and the code of this library isn't really intended to be a good example of a production auth system (which would look very different and hashing would happen on the server). Maybe you can clarify your reasoning?
zaaath
commented
2 years ago @gragland I understand that this library is for prototyping, and a production-level security is not needed. However, storing plain passwords might really damage your reputation. In my case, that surprised me, and not in a good way.
Perhaps, consider setting expectations clearly that the password will be stored unhashed when using fake-auth (on the registration form or as a pop-up).
zaaath
commented
2 years ago And by the way, it's really easy to use hashes (even with salt and multiple rounds). There is this library called bcrypt which produces a hash with only:
await bcrypt.hash(password, pwdSaltRounds);this produces something like $2b$12$1mE2OI9hMS/rgH9Mi0s85OM2V5gzm7aF3gJIWH1y0S1MqVBueyjsy, see this stack overflow.
And then to verify password:
await bcrypt.compare(password, user.pwdHash);I think any eng would appreciate this little security measure in fake-auth.
Store hashes of passwords instead of the original passwords. Optionally, apply salt to it.
Context
Currently, passwords seem to be stored in its original form in Local Storage under
auth-db-fa5key:This sets a bad example. I think it's much better to implement simple logic of using hashes instead (perhaps even including salt, but not necessary).