Example `with-prisma` stores passwords as clear text in the database

[meldron]

Hi folks,

I just tried out the with-prisma example and noticed that the user password is stored without be hashed.

In my opinion this is a major problem, because it teaches new users (which are likely to use templates like this one) insecure practices. Like back in the day when all SQL examples were done without prepared statements.

I would suggest adding a modern hash function like argon2id or scrypt. If you folks agree, I would create a PR.

Thanks for all the hard work! meldron

[apollo79]

Would be cool if a hashing algorithm / library was used that works on every platform. I noticed that argon2 and bcrypt aren't usable with vercel, because they use node-pre-gyp. The only workaround is afaik installing the necessary libraries.

[meldron]

As an alternative, the hashing could be done in the frontend only. So passwords are never sent in clear text to the server. May be https://github.com/jedisct1/libsodium.js is an option

[apollo79]

Yes, that would be cool, but it would break usability for users who have JS disabled.

[Handola]

Hashing on the frontend only is not really more secure than using plain passwords. If the database is compromised, the attacker can simply send the hash to the server to log in. Password hashing should be done on the server to prevent this.

[meldron]

@Handola you are totally right in the regard that the service then is still owned, but at least the user's password is not known. Most of the times the username is an e-mail address and if you then have a password you can try this combination at other websites too.

[meldron]

Just tested the libsodium approach on the server side and it works. It's pure JS so there shouldn't be any problems with Vercel & Co I guess?

[apollo79]

Just tested the libsodium approach on the server side and it works. It's pure JS so there shouldn't be any problems with Vercel & Co I guess?

Well, it's JS + WASM. I don't know if Vercel supports WASM, but I'd think so (?)

[meldron]

On first glance it is JS only. (I guess the compile to asm.js?)

[apollo79]

On first glance it is JS only. (I guess the compile to asm.js?)

Hmm, yes, seems to support WASM and no-WASM. Sadly, the documentation is not that big... 😅

[meldron]

I will prepare a MR, may be some one with vercel access, is then able to test it

[apollo79]

I will prepare a MR, may be some one with vercel access, is then able to test it

Perfect 👍

[rickyraz]

is there update for this enhancement @meldron ?

[bgronek]

If I'm not reading the below issue incorrectly, it looks like this may be solved in Vercel. https://github.com/vercel/pkg/issues/283