express-basic-auth icon indicating copy to clipboard operation
express-basic-auth copied to clipboard

Published 20 hours ago verified publisher icon LionC

Require hashes instead of plain text passwords

Open miso-belica opened this issue 5 years ago • 2 comments
trafficstars

Hi, thanks for the library. I am implementing a simple auth mechanism but was wondering if there is any easy way to have bcrypt hashes in the code instead of the plain text passwords. Unfortunately, there is no built-in support like below.

basicAuth({
  useBcrypt: true,
  users: ALLOWED_USERS,
})

I ended with this implementation. It's not hard to do but I can imagine some developers starting with the programming may not be able to do that in a reasonable time or are not interested to do it in the first place because providing plain-text passwords in the code is so easy :)

import * as bcrypt from 'bcrypt';

basicAuth({
  authorizeAsync: true,
  authorizer: async (username, password, authorize) => {
    const passwordHash = ALLOWED_USERS[username];
    const passwordMatches = await bcrypt.compare(password, passwordHash);

    return authorize(null, passwordMatches);
  },
})

I like how you basically teach people about timing attacks but I think it should be noted also that storing plain text passwords is not a good idea. So what I would like to propose is to implement hashed based passwords by default to teach people about this best practice. Something like below. What do you think?

basicAuth({
  users: {user: '$2b$13$AL6K99UVLEjngKPgKST39O13E4CyjnaRX..qM/ij7F3IyAbL8LGri'},
})

I prepared a simple npm script to generate the password with the hash. You could create similar one to provide CLI for users to generate their hashes.

"password": "node -e \"const bcrypt = require('bcrypt'); const password = Array(25).fill('+-_!?,.0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz').map((x) => x[Math.floor(Math.random() * x.length)]).join(''); const hash = bcrypt.hashSync(password, 13); console.log({password, hash});\""

miso-belica avatar Jan 24 '20 09:01 miso-belica

Maybe a half-way approach for this could be to support a hash function parameter which users can provide and is applied to incoming passwords.

That would cover the use-case without introducing dependencies like bcrypt, or recommending a particular crypto configuration.

dcousens avatar Jul 15 '20 02:07 dcousens

This is a really good point and should be easy enough to add in a backwards compatible manner with an opt-in option.

LionC avatar Sep 28 '23 14:09 LionC