Comments (15)
What I want to achieve is to compare a salted key with an unsalted key like this.
function saltedKey(salted,key) {
var algo, len, salinate;
if(!salted || !key) return null;
/* verify salt algo $x$ */
if(!(algo = salted.match(/^\$(\d)\$/)))
return key;
if(!(algo = exports.argorithms[algo[1]])
throw "invalid salt algorithm";
if((len = salted.length) < 12 || salted[11] != '$')
throw "bad salt";
/* 8 grinds of salt */
var salinate = salt.substr(3,11) + key;
return exports.calculateHash(salinate,algo);
}
if(saltedKey(salted,key) === salted) // good
else // bad
And plug that into Hawk somewhere (note: this code is an example only).
from hawk.
What are you trying to achieve by salting the key? Given that the key is a shared secret I'm unclear on what benefit salting obtains.
from hawk.
isn't the shared secret just a hashed password, or what else is it? :)
Salting protects the passwords if the database gets compromised.
from hawk.
The key is just a random set of characters. It shouldn't bear any relationship to users' actual passwords.
You need the key to calculate the MAC and authenticate each request, so you can't do anything one-way with it.
from hawk.
random set of characters that coexists on both client and server or is it negotiated somehow?
If this random set is persisted on the server then it is a hashed password, right?
It shouldn't matter if the client bundles that into some magic mac cookie. Since if someone compromises the user database and gets hold of that key they can also generate authentic mac:s. Or am I completely wrong ? :)
from hawk.
You need to read the README on the main Hawk page, especially the "Security Considerations" section. Let me know if you have any questions after that.
from hawk.
Sure will do that, I realize I need to dig deeper into the internals of hawk to understand this mac thingy.
Thanks for the effort, however I must admit I'm a little confused right now. ;)
Case closed for now.
from hawk.
"Hawk does not provide any mechanism for obtaining or transmitting the set of shared credentials required. Any mechanism used to obtain Hawk credentials must ensure that these transmissions are protected using transport-layer mechanisms such as TLS."
Oh my...
from hawk.
Yep, take a simple example:
- client app goes to http_s_://api.example.com/token/generate This request is protected by TLS and requires Basic authentication. If successful it returns a suitable set of Hawk credentials
- client app goes to http://api.example.com/resources/info. This request does not need TLS protection (it's still a good idea, but not so critical any more) and uses Hawk authentication
All further requests can use the Hawk credentials, with the caveats as per the README (and common sense). And you can manage the scope of the credentials to provide varying levels of access that you could not do with a single password.
from hawk.
So what happens if the database that holds the credentials gets compromised i.e due to a security flaw in the server?
I guess that these keys have to be short lived, like during a session ?
from hawk.
Thank you mcdee, I think I understand how to implement this now.
from hawk.
What would you expect to happen? All your data is exposed anyway, and because the Hawk credentials are unique tokens you don't have to worry about then being used to access information elsewhere.
If you're extra-worried about this you can always give the tokens a limited lifetime, but as I say once the server is compromised it's pretty much game over anyway.
Again, to be clear, Hawk isn't designed to be a complete authentication system in itself and should not be relied on for this. It is very good at (partially) confirming that requests have not been tampered with in-flight, but how much you trust the keys to imply identity is up to you.
from hawk.
Yes if the database where the user data is stored also gets compromised it is game over, I agree.
from hawk.
How should we store credentials that we get from server in client (Browser app). Is it ok to store credentials in cookie or localstorage in plain texts?
from hawk.
This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.
from hawk.
Related Issues (20)
- Can you help for PERL implementation? HOT 2
- Action required: Greenkeeper could not be activated 🚨 HOT 1
- Update deps HOT 1
- Rust Implementation HOT 3
- No Changelog HOT 4
- Only node 12
- Drop hapi 17
- Add TypeScript typings HOT 1
- Import changes made at hapi HOT 5
- Update mozilla/hawk to Mozilla repo standards HOT 1
- Decide future of hapi hawk plugin HOT 2
- Set up CI HOT 4
- Support webpack'ing hawk HOT 1
- Support use of this library in frontend code HOT 9
- Travis CI free usage ends Dec 3; mozilla repos should switch to other CI platforms HOT 1
- Using hawk in Angular app for absence.io
- Examples in API.md are broken
- Porting test framework HOT 2
- The incoming hash of the payload is being trusted and not verified HOT 15
- types.js:8 Uncaught ReferenceError: Buffer is not defined HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hawk.