I have an http request in which I want to pass some sensitive data so I'm trying to encrypt these data. Does someone have two modules, one in react-native and the other one in node.js ? I tried to use react-native-rsa and Crypto but I get a lot of errors, and I don't know if it's possible to use both together.
I think you must try Hybrid Crypto once.
Related
I am attempting to implement site authentication. I have express routes, a mysql db, and login/register react forms. I am using password-validator (https://www.npmjs.com/package/password-validator) to disable/enable the submit buttons. I'll validate on the server, too. password-validator takes an array of strings to black/whitelist. I'm wondering where I should store these black/whitelists.
I figure I shouldn't store them as json files in the client folder, as it could be altered by the user. Might not matter much if I validate on the server, too, but I'd like to have a single source if I can. I'm unsure if it's possible or prudent to store them in the mysql db. Only other option I can think of is storing them as json on the server. Endpoints with express are ready to go, or I could use socket.io (also ready to go).
Any insight into the best way to do this is appreciated.
I really like the Wolkenkit server but when I looked at the client library it seemed a bit too opinionated and I might be using graphQL -- which I think will work well to wrangle all the read models. In that case, can I just use the server with http? What would be involved with that?
Basically, you can access wolkenkit using HTTP or web sockets directly, without the need to use the JavaScript client SDK. All the client SDK does is wrapping the HTTP respective web socket calls in a convenience API.
The server is built upon tailwind, which is a base module for applications built with CQRS in mind. The best place to start is to have a look at the HTTP server API of tailwind, which is used by wolkenkit. There, one could also add a GraphQL endpoint.
Please note that I am one of the developers of wolkenkit, so please take my answer with a grain of salt.
I am new to NodeJS and have made a web application login feature using passport.
I know when someone registers an account, the app needs to hash their password and save the hash to the database. But when I use console.log(), the object still contains the user's password in plain text. I have a feeling it's not safe but I'm not sure how to approach this. Can anyone explain what I am doing wrong here?
Irrespective of whether it is node.js or any other framework used for backend development, it is a good practice to pass the sensitive data such as passwords in encrypted format.
Typically we prefer using Json Web Tokens(JWT) - https://jwt.io/
You can use https://www.npmjs.com/package/jsonwebtoken to encrypt and decrypt it.
Don't bother too much with it.
If a malicious agent has access to the runtime environment of your server he will be able to do, possibly, everything. Even if you are using jwt he will be able to get the secret and decode it easily.
Focus on:
leaving the password encrypted in the database (as you did very well)
using SSL between you and the entry point on your servers network
making sure that you only expose the necessary, having a firewall/barrier in the exterior of your server is a very good pratice
sanitize and validate your server inputs to avoid injections and exploits
I just want to say only on don't use third party API or packages for it
I am currently developing an application using a MERN stack, and I'd like to have authentication for it as well. However, before I just install PassportJS, I'd like to know how I should approach authentication. Should my client-side send my server a POST request with the email address in plaintext in the POST body? Should it encrypt it beforehand? Do I store the encrypted email address in MongoDB, or the plaintext version? I'm not asking for the best practice, but rather the approaches that could be taken given my current stack. I would like to understand this without just installing a package and calling the job done.
You have to use the middleware of passport inside your routes before calling your custom callback and defines passport with the great configuration
I want to implement in-app messaging in my iOS and Android application, and I am unsure about how the backend functionality should be created. From before my backend is running with Node.js and users etc. are stored with MongoDB.
I figure that I quite easily could implement messaging just by saving the messages in the database and sending a push to the recipient with the new message and also showing it in the app, but I do not want the messages to be readable on the server. It would therefore be necessary to encrypt them in the database and decrypt them on the clients.
Do anyone have any suggestions for either how the encryption could be implemented or about node frameworks to use? I have looked at socket.io, but this seem to be created for real time chatting applications, which is not exactly what I'm looking for. I have also looked at RabbitMQ, but I don't really understand if it suits my requirements or not.
Many thanks in advance!
You are talking about end to end encryption. Your encryption would be easy to break if the key for the encryption is hardcoded inside the application. In order to implement something like this, you'll need a library for iOS and a library for Android.
For iOS, I recommend using OpenSSL and implementing a encryption scheme(Public key Cryptography). For Android, you can use the Spongy Castle library.
Due to limitations with iOS push notification size, it is not a great idea to send data via PUSH.
You will also (probably)need to implement a authentication mechanism for users to login.
You can go on two paths here..
Have the server generate a secret for the clients to decrypt
Separate keys, (hashed password on database, and public/privatekeys on client)
I have not used socket.io/rabbitmq, so unfortunately I cannot help you there. It seems like you are new to this, I would take a good look & reading on public key cryptography. http://en.wikipedia.org/wiki/Public-key_cryptography#Examples