We have developed one application with Angular 5 as frontend and Spring Boot as backend. First page is the login page, which invokes a rest api to authenticate with LDAP at backend. We are using OAuth implementation with JWT. So when the user logins, the credentials username and password are via. POST request in body to the rest api for auth. In headers we are sending clientId and secret for Oauth. The issue is that the credentials are getting exposed in the request and can be seen in the browsers developer options. I need a way to mask/encrypt these credentials.
-
Did you implement that? Please give me an idea of it. – nitin tyagi Sep 19 '19 at 07:36
2 Answers
You can use the cypto-js library for encrypting your password from your angular application.
Installation :
npm install crypto-js
Usage :
var AES = require("crypto-js/aes");
var SHA256 = require("crypto-js/sha256");
var MD5 = require("crypto-js/md5");
console.log(AES("YOUR PASSWORD"));//AES ENCRYPTION
console.log(SHA256("YOUR PASSWORD"));//SHA256 ENCRYPTION
console.log(MD5("YOUR PASSWORD"));//MD5 ENCRYPTION
Thanks hope this helps!

- 5,221
- 4
- 16
- 27
-
-
1Thanks Vipul. If I use crypto lib for encryption at angular end, I would need to decrypt it at backend spring app to authenticate it with ldap. Is there a way I can decypt it at backend spring? – Roger May 25 '18 at 11:25
-
Usually we don't encrypt password at front end and let it be visible in network console, But i believe this may help in java side https://stackoverflow.com/questions/10303767/encrypt-and-decrypt-in-java – Vipul Panth May 25 '18 at 12:11
Well, the password being exposed in the request in the network tab is quite "normal" - Your API needs to read the password after all and check if it is valid.
There are still a couple of things you can do:
- You definitely should communicate over https and can use several additional security headers as well
- You can Hash the password in the browser side and treat the hash as it would be the user password
- Changing the hash function in the client is nearly impossible since it requires all users to re-new their password
- You can't do any API side password strength verification
- You can encrypt the password in the browser side and decrypt it in the API.
- You still should hash the password in your API, and do NOT store the encrypted password from the client (since the encryption is visible in the source code to the user)
I actually don't like the Hash variant, since you loose the control over password strength, and somebody theoretically can use the API and create a user with password "Test" or something similar.
The second approach sure does help you so it is not visible in the Network tab. But just be aware that if someone really cares he can lookup the encryption in your source code and still decrypt it in the request if he has access to it

- 2,626
- 18
- 39
-
Thanks Nicolas. 1. How can we use the same certificate at angular and spring for configuring https? 2.If I encrypt the password at frontend, I would need to decrypt it at backend spring, for which I didn't find any article online. – Roger May 25 '18 at 11:29
-
@Roger looks like you are missing some basics. I recommend doing a Tutorial on Spring Webserver with https. The client provides the certificate. You can create a self-signed one, get a free one from lets-encrypt or buy one. And as for your second point this nothing angular/spring related. just find a encryption that both language support, something like base64. – Nicolas Gehlert May 25 '18 at 11:34