Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hashing Data #58

Closed
wants to merge 6 commits into from
Closed

Hashing Data #58

wants to merge 6 commits into from

Conversation

jrans
Copy link
Member

@jrans jrans commented Sep 29, 2016
edited
Loading

THIS PR

Necessary for password, secret answers etc. Function can be used at layer most appropriate

  • Function to take some data and hash asynchronously according to field settings in config.
  • Fields can be given password or hash prop set as true to be told to hash.
  • New object given back, old not mutated.
  • Salt round defaults 10 but customisable with config object

Related: #52

@jrans
➕ Function to hash data according to config
ec5775e 
 + Function to take some data and hash asynchronously according to field settings in config.
 + Fields can be given password or hash prop set as true to be told to hash.
 + New object given back, old not mutated.

Related: 52
@jrans jrans changed the title Hashing Data [WIP] Hashing Data Sep 29, 2016
@jrans
Copy link
Member Author

jrans commented Sep 29, 2016

CI needs fixing but code itself passes on my machine and so can start your review while I fix, will remove WIP when done

@jrans jrans changed the title [WIP] Hashing Data Hashing Data Sep 29, 2016
@jrans
Copy link
Member Author

jrans commented Sep 29, 2016
edited
Loading

DONE Thanks to kelektiv/node.bcrypt.js#366

nelsonic
nelsonic reviewed Sep 29, 2016
View reviewed changes
lib/hash.js
return cb(null, hashed);
}

return bcrypt.hash(data[toBeHashed], 10, function (err, hash) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok. so we are hard-coding the bcrypt hashing "cycles" in the library.
also, how are we going to use this hashed data?
if we attempt to bcrypt.compare we need to have the plaintext
see: https://github.com/ncb000gt/node.bcrypt.js/#to-check-a-password

@nelsonic nelsonic assigned jrans and unassigned nelsonic Sep 29, 2016
@jrans
Copy link
Member Author

jrans commented Sep 29, 2016

@nelsonic Yes salt number should be configurable. Will change.

This function does indeed only serve purpose for saving data that needs to be hashed.

Actually using that hash to authenticate a login must be done separately but will be done later with #53

@codecov-io
Copy link

Current coverage is 100% (diff: 100%)

Merging #58 into master will not change coverage

@@           master   #58   diff @@
===================================
  Files          10    11     +1   
  Lines         174   202    +28   
  Methods        38    46     +8   
  Messages        0     0          
  Branches       25    30     +5   
===================================
+ Hits          174   202    +28   
  Misses          0     0          
  Partials        0     0

Powered by Codecov. Last update d6d0fc9...0bcc894

@jrans jrans assigned nelsonic and unassigned jrans Sep 29, 2016
@nelsonic
Copy link
Member

@jrans what I'm saying is that given that the purpose of this PR is to hash ("sensitive") data and the only situation where we need to hash (i.e. one-way "encrypt") data is for passwords which we need the plaintext for in order to use bcrypt.compare (unless there is another MVP usecase I'm not aware of) the functionality becomes YAGNI so PR could be closed

image

the feature/idea should be documented in the issue so we can come back to it if/when we have a clear use-case

@jrans
Copy link
Member Author

jrans commented Sep 29, 2016

@nelsonic Maybe you're missing what I'm proposing but this is function is used on insertion of a new user and password into the database. If the field is meant to be a password it will hash the data if not then it will leave it as is.

Yes the only field we need to hash is "password", but what if we had two password fields? What if we wanted to store secret answers? Although this is maybe above and beyond MVP its functionality that can be used in future.

Two options:

  • I'm happy to strip out the salt stuff and provide a function that just hashes a single predefined "password" field in the db before saving a new user.
    • Use this function as is at the db insert layer and set password field to have prop password true which will do the same.

Realise the latter is one more step for the user and we're probably assuming email, password and username necessary for all user data so this could be done by us anyway when applying default requirements on the config.

@jrans
Copy link
Member Author

jrans commented Sep 29, 2016

@nelsonic ok closing

@jrans jrans closed this Sep 29, 2016
This was referenced Sep 29, 2016
Open
Merged
@eliasmalik eliasmalik deleted the hashing branch September 30, 2016 14:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nelsonic nelsonic nelsonic left review comments

Assignees

@nelsonic nelsonic

@SimonLab SimonLab

@eliasmalik eliasmalik

@samhstn samhstn

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@jrans @codecov-io @nelsonic @SimonLab @eliasmalik @samhstn