Comments (5)
Hashing a password in the front end before sending to backend in effect makes the "hash" the password. This is not considered a good practice since a hash is by nature less unique than a password. Since the hashing is exposed to all clients and would be very simple to replicate it adds no real security.
from lambdauth.
I'm really not well versed on security, fair warning, but I'm pretty sure that for signing up and logging in users it is considered a good practice to hash their passwords before sending them to the backend, which this implementation doesn't do. What this does is it sets the password as a 'payload' for the CreateUser lambda function and then it invokes the lambda using the AWS SDK and sends the payload with the invocation. Then inside of the CreateUser function it hashes the password and stores it. I'm not entirely sure how the payload gets transferred from the web client to the lambda function when you invoke it via the SDK, but I assume it's over an http request of some sort. Since the password isn't hashed before it's sent to the function, that http request could be intercepted by some evil genius and then he or she could take note of the password before it gets to the function to be hashed. However if you hash the function on the front end, it doesn't matter if the http request gets intercepted because the password wouldn't be human readable. So that's something to consider, but again I'm not a security expert so take my advice with a grain (or maybe a mound) of salt.
from lambdauth.
Not an expert either but you hash passwords before you send them to the database and then salt the hash so that if your database was compromised it would take a prohibitively long time to get access to large amounts of the stolen data. This implementation does that properly as far as I can tell.
When you send the HTTP request from the front end to the back end you don't need to hash the request but you should always be using https on your web server to make sure that if this information is intercepted it is not in plaintext form.
Hope that is somewhat helpful.
from lambdauth.
@bluestreek18 @kevinaud Thank you very much for the answers, so I take it it is secure?
from lambdauth.
In my experience (which is minor compared to many) I've never hashed the passwords coming from the frontend, only hash/salt before database entry.
I'm also interested in the security of this method, but from an AWS perspective.
- The login page, for example, contains AWS Cognito IdentityPoolId. I know VERY little about Cognito, I assume this is how it is supposed to be? I'm assuming so because I understand Cognito is intended for cross platform use, so the IdentityPoolId can be public.
- A Lambda function is invoked directly from the front end. I would think routing this request through the webserver would prevent an attacker from running up my Lambda function past limits. No?
from lambdauth.
Related Issues (20)
- InvalidParameterValueException
- Verification email is not sent/received HOT 1
- Fails on clean up HOT 1
- Re-sending verification mail
- Moving Into Serverless Project? HOT 12
- Swift Implementation - Transitioning a user into the authenticated role HOT 6
- Users not created HOT 5
- Password Security Question
- Indicate registration failed due to email address being in use
- Getting access key for S3 for users?
- Why reset page and verification page must be in S3 Bucket ?
- aws: error: argument command: Invalid choice, valid choices are: HOT 1
- "Error in sendVerificationEmail: MessageRejected: Email address is not verified. The following identities failed the check in region US-WEST-2 HOT 1
- Cognito pool issue HOT 1
- general quick question
- Validating sample authentication sign up fields at the backend
- Replacing internal crypto with AWS KMS
- What is AWS Cognito used for here? HOT 1
- digest string in crypto.pbkdf2 HOT 1
- NodeJS4.3 end of life (March 6, 2020)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lambdauth.