Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require hashes instead of plain text passwords #33

Open
miso-belica opened this issue Jan 24, 2020 · 2 comments
Open

Require hashes instead of plain text passwords #33

miso-belica opened this issue Jan 24, 2020 · 2 comments
Labels
enhancement

Comments

@miso-belica
Copy link

Hi,
thanks for the library. I am implementing a simple auth mechanism but was wondering if there is any easy way to have bcrypt hashes in the code instead of the plain text passwords. Unfortunately, there is no built-in support like below.

basicAuth({
  useBcrypt: true,
  users: ALLOWED_USERS,
})

I ended with this implementation. It's not hard to do but I can imagine some developers starting with the programming may not be able to do that in a reasonable time or are not interested to do it in the first place because providing plain-text passwords in the code is so easy :)

import * as bcrypt from 'bcrypt';

basicAuth({
  authorizeAsync: true,
  authorizer: async (username, password, authorize) => {
    const passwordHash = ALLOWED_USERS[username];
    const passwordMatches = await bcrypt.compare(password, passwordHash);

    return authorize(null, passwordMatches);
  },
})

I like how you basically teach people about timing attacks but I think it should be noted also that storing plain text passwords is not a good idea. So what I would like to propose is to implement hashed based passwords by default to teach people about this best practice. Something like below. What do you think?

basicAuth({
  users: {user: '$2b$13$AL6K99UVLEjngKPgKST39O13E4CyjnaRX..qM/ij7F3IyAbL8LGri'},
})

I prepared a simple npm script to generate the password with the hash. You could create similar one to provide CLI for users to generate their hashes.

"password": "node -e \"const bcrypt = require('bcrypt'); const password = Array(25).fill('+-_!?,.0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz').map((x) => x[Math.floor(Math.random() * x.length)]).join(''); const hash = bcrypt.hashSync(password, 13); console.log({password, hash});\""
@dcousens
Copy link

dcousens commented Jul 15, 2020
edited
Loading

Maybe a half-way approach for this could be to support a hash function parameter which users can provide and is applied to incoming passwords.

That would cover the use-case without introducing dependencies like bcrypt, or recommending a particular crypto configuration.

@LionC
Copy link
Owner

LionC commented Sep 28, 2023

This is a really good point and should be easy enough to add in a backwards compatible manner with an opt-in option.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dcousens @miso-belica @LionC