Comments (2)
@DScheglov Thanks for reporting but matautil is not 3rd party code, it's a part of metarhia https://github.com/metarhia/metautil/blob/f3f7adee3b8a66e5375270e9363da9e0272fc2f1/lib/crypto.js#L111-L123 it uses node native crypto.scrypt
. Parameter hash
contains serialized salt, see: https://github.com/metarhia/metautil/blob/f3f7adee3b8a66e5375270e9363da9e0272fc2f1/lib/crypto.js#L75-L84 as well as hash algorithm name, and its options. Here is an example: $scrypt$N=32768,r=8,p=1,maxmem=67108864$XcD5Zfk+BVIGEyiksBjjy9LL42AFOOqlhEB650woECs$3CNOs25gOVV8AZMYQc6bFnrYdM+3xP996shxJEq5LxGt4gs1g9cocZmi/SYg/H16egY4j7qxTD/oygyEI80cgg
from example.
Sure, from Metarhia point of view metautils
is not a 3rd party code.
But for users of impress
and metarhia
-- it is exactly third part code.
It is great that password is really salted before saving -- so it is not a concern any more.
However the naming is (a concern).
Also, it is recommended to use a pepper to mitigate risks of leaking all parts of the hash function input in case of db leak. The leak of whole hash function input doesn't allow to restore passwords for all large user base, but it allows to do that for a specific user or for any relatively small group of users.
It is obvious that pepper
could be added to the password, but it is also is not safe, because sensitive parameter is passed to the 3rd party code.
To use or not to use the pepper is a matter of the user (of your framwork) risk policy, but the framework should not lock or even provocate avoiding this approach.
Finally, It is ok that metrhia
provides password verification service, however, considering license agreement (decline of responsibility) correspondent methods should be named as _insecure
to inform users about potential risks.
At least the example code must contain the correspondent remark with explicite decline of responsibility.
from example.
Related Issues (20)
- Remote: Unhandled error HOT 1
- Use Github Actions instead of Travis for CI
- Subscribe timer HOT 2
- Update dependencies HOT 1
- Chat example
- Add accountId field to context HOT 1
- More scheduler usage examples
- Page speed optimization HOT 1
- provider.js: saveSession does not trigger an update table Session
- Π₯ΠΎΡΡ docker-compose
- Sometimes throws unhandledRejection on start HOT 1
- Bug upload is not working HOT 2
- Inconsistency between .gitignore and .gitkeep for application/tasks folder HOT 1
- Potentially error HOT 1
- Issue with the response in the Metacom protocol HOT 2
- Error processing url in static directory. HOT 1
- `npm t` omit execution of some test cases
- Extend auth example
- TypeError: Cannot set property promises of #<Object> which has only a getter
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from example.