solid-start icon indicating copy to clipboard operation
solid-start copied to clipboard

Published 20 hours ago verified publisher icon solidjs

Example `with-prisma` stores passwords as clear text in the database

Open meldron opened this issue 2 years ago • 13 comments

Hi folks,

I just tried out the with-prisma example and noticed that the user password is stored without be hashed.

In my opinion this is a major problem, because it teaches new users (which are likely to use templates like this one) insecure practices. Like back in the day when all SQL examples were done without prepared statements.

I would suggest adding a modern hash function like argon2id or scrypt. If you folks agree, I would create a PR.

Thanks for all the hard work! meldron

meldron avatar Jan 22 '23 09:01 meldron

Would be cool if a hashing algorithm / library was used that works on every platform. I noticed that argon2 and bcrypt aren't usable with vercel, because they use node-pre-gyp. The only workaround is afaik installing the necessary libraries.

apollo79 avatar Jan 22 '23 10:01 apollo79

As an alternative, the hashing could be done in the frontend only. So passwords are never sent in clear text to the server. May be https://github.com/jedisct1/libsodium.js is an option

meldron avatar Jan 22 '23 10:01 meldron

Yes, that would be cool, but it would break usability for users who have JS disabled.

apollo79 avatar Jan 22 '23 10:01 apollo79

Hashing on the frontend only is not really more secure than using plain passwords. If the database is compromised, the attacker can simply send the hash to the server to log in. Password hashing should be done on the server to prevent this.

Handola avatar Jan 22 '23 22:01 Handola

@Handola you are totally right in the regard that the service then is still owned, but at least the user's password is not known. Most of the times the username is an e-mail address and if you then have a password you can try this combination at other websites too.

meldron avatar Jan 22 '23 22:01 meldron

Just tested the libsodium approach on the server side and it works. It's pure JS so there shouldn't be any problems with Vercel & Co I guess?

meldron avatar Jan 24 '23 08:01 meldron

Just tested the libsodium approach on the server side and it works. It's pure JS so there shouldn't be any problems with Vercel & Co I guess?

Well, it's JS + WASM. I don't know if Vercel supports WASM, but I'd think so (?)

apollo79 avatar Jan 24 '23 09:01 apollo79

On first glance it is JS only. (I guess the compile to asm.js?)

meldron avatar Jan 24 '23 10:01 meldron

On first glance it is JS only. (I guess the compile to asm.js?)

Hmm, yes, seems to support WASM and no-WASM. Sadly, the documentation is not that big... 😅

apollo79 avatar Jan 24 '23 10:01 apollo79

I will prepare a MR, may be some one with vercel access, is then able to test it

meldron avatar Jan 24 '23 10:01 meldron

I will prepare a MR, may be some one with vercel access, is then able to test it

Perfect 👍

apollo79 avatar Jan 24 '23 10:01 apollo79

is there update for this enhancement @meldron ?

rickyraz avatar Jan 18 '24 23:01 rickyraz