Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How Not to Do Authentication in Node.js

Shreyansh Pandey
September 30, 2018
Programming
0
97

How Not to Do Authentication in Node.js

This presentation gives examples of some bad practices when it comes to authentication in and for Node.js applications in general. Furthermore, the interactive code-along includes a way to demonstrate how to fix some of the problems herein contained using tools and methods which are not as complicated as people think.

Shreyansh Pandey

September 30, 2018
Tweet

More Decks by Shreyansh Pandey

See All by Shreyansh Pandey
Architect at Scale - My musings as a Node.js developer
labsvisual
0
58

Other Decks in Programming

See All in Programming
OSSで起業してもうすぐ10年 / Open Source Conference 2024 Shimane
furukawayasuto
0
110
ヤプリ新卒SREの オンボーディング
masaki12
0
130
ローコードSaaSのUXを向上させるためのTypeScript
taro28
1
630
CSC509 Lecture 12
javiergs
PRO
0
160
Kaigi on Rails 2024 〜運営の裏側〜
krpk1900
1
230
Nurturing OpenJDK distribution: Eclipse Temurin Success History and plan
ivargrimstad
0
960
GitHub Actionsのキャッシュと手を挙げることの大切さとそれに必要なこと
satoshi256kbyte
5
430
as(型アサーション)を書く前にできること
marokanatani
10
2.7k
Flutterを言い訳にしない!アプリの使い心地改善テクニック5選🔥
kno3a87
1
200
Arm移行タイムアタック
qnighy
0
330
Why Jakarta EE Matters to Spring - and Vice Versa
ivargrimstad
0
1.1k
Jakarta EE meets AI
ivargrimstad
0
130

Featured

See All Featured
RailsConf 2023
tenderlove
29
900
Code Review Best Practice
trishagee
64
17k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
BBQ
matthewcrist
85
9.3k
Agile that works and the tools we love
rasmusluckow
327
21k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
A Philosophy of Restraint
colly
203
16k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
Adopting Sorbet at Scale
ufuk
73
9.1k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
Rails Girls Zürich Keynote
gr2m
94
13k

Transcript

  1. Shreyansh Pandey — @acodingpanda How Not to Do Authentication

  2. About Me tl;dr I am pretty boring.

  3. Authentication — What? Why? How?

  4. Bad Ways to do it… MD5, direct-database storage, etc.

  5. MD5? So? “I-can-use-MD5-SHA-etc-because" starter pack: 1. It’s still a one-way

    hash function. 2. It’s secure. It can’t be broken. 3. I enforce strong password rules. 4. I like copying code.

  6. So… How does it matter?

  7. Few pointers: 1. It’s still a one-way hash function. Yes,

    it is. But that does not mean it is secure. 2. It’s secure. It can’t be broken. CVE-2012-3287 — md5crypt (b-crypt means blowfish-crypt).

  8. Do NOT read me: yes, you’re right. I created a

    new slide specifically for this xkcd. I enforce strong password rules.

  9. Discourse in cryptography • Entropy • ROT-3, Caesar’s Cipher (broken?)

    • Paradox?

  10. Buzzword — bcrypt/SHA-* • With SHA, it’s about implementation. FGPA

    or GPU. • SHA has a 32-bit design. • bcrypt is pretty decent at what it does: take more time.

  11. Viś-a-viś, the problem • Consider SHA-256. It’s implemented using a

    32-bit architecture. Very easy on GPU. • bcrypt, not so much. In-memory tables. Iterative recalculation. • GPU in the past, FPGA now. bcrypt can be exploited. • DDoS with bcrypt. Probable.

  12. Then what? • NIST SP-800-132. • Use PBKDF2 with high

    iteration count (Apple uses 10,000.)

  13. New kid on the block • Argon2* family of hashes.

    • One problem Hint: it’s overly complicated to implement.

  14. The Golden Rule It’s impossible to build something absolutely hacker-safe.

    You can make it hacker- deterrent.

  15. Barriers • Cryptography is hard. Without a mathematics degree, it’s

    Greek (literally). • There are some tutorials on how to do credential-storage but they aren’t real world examples. • PBKDF2: Microsoft, 1Password… (also Google?) • Don’t go about building your library*.

  16. The Solution •Try learning Cryptography. It’s not that hard. •Always

    be updated on the latest trends and 0- Day’s. •Don’t follow a tutorial (or a talk) blindly. •If you have some proprietary logic for credential storage, get it audited. •Always remember — in cryptography, you will most certainly need a tailor-made solution.

  17. That’s theory, what about tangible “stuff”? 1. Don’t overdo your

    length. It can lead to a DOS. (*) 2. Use an adaptive one-way function (PBKDF2, bcrypt, Argon2, etc.) with a cost-factor (“time delay”). 3. Use keyed functions like HMAC, etc. in conjunction with (2). 4. Never store plaintext passwords (evidently). 5. The key for HMAC should be treated like a private key; don’t store it in your database.

  18. Right… What about in JavaScript? • There are some really

    cool libraries which take out the guess-work: • libsodium (https://github.com/jedisct1/libsodium) • credential (https://github.com/ericelliott/credential) • node-argon2 (https://github.com/ranisalt/node-argon2)

  19. Viś-a-viś… Most of the credential storage tutorials don’t cover password

    reset… which is a worry.

  20. 1. Predictable tokens A. LCG, pseudo-random number generators, time-based function.

    B. Bruteforce. So, a large entropy? But that doesn’t mean it’s secure. Consider the substitution cipher. 2. Their value. They are as meaningful as passwords; then why are they not stored as such? 3. (Bonus: side-channel verifications. Security questions, rate limiting, audit records.)

  21. Real-World Examples

  22. public function index() { $session = $this->request->session(); $login = $session->read('Administrators.id');

    if(!empty($login)) { return $this->redirect( ['controller' => ‘SecuredAdmin', 'action' => 'dashboard']); } $this->viewBuilder()->layout('admin_login'); $this->set(compact('user')); $this->set('_serialize', ['user']); } function login() { $username = $this->request->data['username']; $password = $this->request->data['password']; $admins = TableRegistry::get('Admins'); $row = $admins ->find() ->where(['username' => $username]) ->where(['password' => md5($password)]) ->first(); ...
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None

  29. const payload = request.payload; if (payload.resettoken != '' && payload.resettoken

    != null) { User().filter({ resettoken: resettoken }).getJoin({ ‘reset’: true }).then(function(err, data) { if (err) { return { isSuccess: false } } return h.view('resetPassword', { resettoken: resettoken }); }) }

  30. app.handle('/', 'post', function(req, h) { User().filter({ resettoken: req.payload.resettoken }).getJoin({ 'reset':

    true }).then(function(err, data) { if (err) { return { isSuccess: false } } User.get(data.id).apply({ password: Helpers.calculatehash(password) }).then(function(err, data) { if (err) { return { isSucccess: false } } return { h.view('success-password-' + data.name); } }); }); });

  31. Talk is boring. Show me code.

  32. Sample Application The repository is divided into a couple of

    branches. 1. master — this contains a badly designed Node.js application. 2. better-storage — a better credential storage paradigm. 3. better-auth — a complete RESTful API with auth.

  33. http://bit.ly/jsfoo-node-auth

  34. Questions? https://github.com/labsvisual https://linkedin.com/in/acodingpanda/ https://isomr.co/