0

I want to apply gun.user in my project.

When I store the user in sessionStorage using user.recall(opt),

This code in sea.js stores password in tmp without encryption.

Is it okay? or..

Should I encrypt password before calling .auth?

Here is my code.

jq('#up').on('click', (e) => {
    let form = check();
    if(!form){ return }
    S.user.create(form.alias, form.pass, (ack) => {
        if(ack.err){ return S.tell(ack.err) }
        check.up = true;
        S.user.auth(form.alias, form.pass, logined);
    });
});

jq('#in').on('click', (e) => {
    let form = check();
    if(!form){ return }
    S.user.auth(form.alias, form.pass, logined);
});

let logined = (ack) =>{
    if(ack.err){ return S.tell(ack.err) }
    S.user.recall({sessionStorage: true});
}

+

I found the document about user.create().

Passphrase that will be extended with PBKDF2 to make it a secure way to login.

However, there is plane text in my session storage.

enter image description here

gun version is 0.2019.515.

huhsame
  • 73
  • 1
  • 9

1 Answers1

0

@huhsame , great concern! (And btw, incredible GUN AR/VR demos on your twitter!)

Browsers require domain-based security which sadly limits P2P security.

Unfortunately, sessionStorage is the safest best browser option:

  • Credentials are not shared with servers (like cookies do).
  • It keeps a user logged in on refresh.
  • It deletes the credentials if you close the tabs.

Between page loads, encrypting the password is a good idea but the problem is, to keep the user logged in, the decryption key also has to be stored. :(

Storing credentials in localStorage is unsafe, which is why sessionStorage is better.

Warning! Unless you use a Browser Extension (below) or Browsers adopt better solutions, an XSS leak can compromise credentials from sessionStorage - but even if you disable it, credentials can be pulled from in-memory without an Extension to protect accounts.

PBKDF2 is used during the login process, not session management - again, it could be used there as well, but has the same limitations as above.

Even sessionStorage does not work well for keeping users logged in.

As a result, you should consider other solutions. I've written more about other options here:

Keeping a Gun DB user authenticated during a session

Better Security

For the best security, users would sadly need to install a browser extension, like our http://party.lol tool, until Browsers adopt this type of security natively, or offer better user-centric session management.

Community
  • 1
  • 1
marknadal
  • 7,534
  • 4
  • 25
  • 22