Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Store user data encoded #34

Open
EvilLord666 opened this issue Sep 28, 2023 · 3 comments
Open

Store user data encoded #34

EvilLord666 opened this issue Sep 28, 2023 · 3 comments
Assignees
Labels
security All issues related with users data security and application security

Comments

@EvilLord666
Copy link
Member

EvilLord666 commented Sep 28, 2023

We should encode userdata for preventing it from access via getting access to data storage (Redis, File). Probably each user credentials should be stored as Base-64 encoded string, this feature should be taken into account in Ferrum CLI too

@EvilLord666 EvilLord666 added the security All issues related with users data security and application security label Sep 28, 2023
@stdstring
Copy link

@EvilLord666 Encoding into Base64 isn't safe by the nature. If we want to protect user data, we must encode/decode their with private/public keys.

@EvilLord666
Copy link
Member Author

base64 here means a way (format) how we string save in JSON, data itself should be encoded/decoded with some encryption key

@EvilLord666
Copy link
Member Author

Here what should we do:

  1. For Realm we should create additional non-mapping field PasswordSalt to Realm object
  2. When creating a new User we should make a password hash as follows - hash(password+salt), where hash is the hashing func, this algorithm is working for non-federated Users. In the credentials field in the passwordwe store a hash
  3. We should have a separate module for hashing and save hash_type to credentials too.
  4. Salt must be created automatically when we create Realm; every Realm must have its own salt.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security All issues related with users data security and application security
Projects
Status: No status
Development

No branches or pull requests

3 participants