Comments (8)
Hii @matijaSos i can work on this
from wasp.
Hi @utkarsh4321 thanks a lot for your interest and reaching out! I suggest you write here a short proposal on how would you implement this feature so we can review it together before you start.
Also, have you already checked our guide to contributing? Here you will find the instructions on how to compile Wasp locally and get started with adding new features!
Let us know if any questions! Also, I'd recommend joining our group on Discord for more conversational-style discussions: https://discord.com/invite/rzdnErX
from wasp.
I noticed that password hashes of the same input result in the same value in the backend. Should add salt
from wasp.
@tom-f-hall thanks for letting us know about this!
We are using https://www.npmjs.com/package/secure-password for hashing the passwords, and from what I read and know, it does use salt when hashing the password. On my machine, when I save two same passwords, hash is different, not the same. However, I see that the start and end of each password is the same (some kind of padding I guess), so maybe that is what made you think they are always the same? If you are indeed getting completely same hashes, could you please let me know on which system are you running this so we can try to replicate it.
Btw we also do have a plan to revisit the security once again when we got closer to production, as per this issue: #127 .
from wasp.
You are correct, it's just the padding 🤦🏻♂️
from wasp.
You are correct, it's just the padding 🤦🏻♂️
It confused me at first also, I needed to expand the content to figure it was more than padding! Atlhough I do wonder what is the purpose of all that padding hm.
from wasp.
I decided to add an additional middleware to do the validation, just before our hashing middleware. While technically a monkey patch of Prisma's create function just for User, it feels like the cleanest approach to ensure:
- sane defaults always run
- users can enable/disable
- users can add their own custom validations
Something like this:
prismaClient.$use(async (params, next) => {
// Ensure strong plaintext password. Must come before hashing middleware.
// Throws an EntityValidationError on the first validation that fails.
if (params.model === '{= userEntityUpper =}' && params.action === 'create') {
const data = params.args.data || {}
const defaultValidations = [
{ name: 'email must be present', fn: data => !!data.email },
{ name: 'password must be present', fn: data => !!data.password },
{ name: 'password must be at least 8 characters', fn: data => data.password.length >= 8 },
{ name: 'password must contain a number', fn: data => /\d/.test(data.password) },
]
let validations = params.args._waspSkipDefaultValidations ? [] : defaultValidations
if (Array.isArray(params.args._waspCustomValidations)) {
validations = validations.concat(params.args._waspCustomValidations)
}
for (const validation of validations) {
if (!validation.fn(data)) {
throw new EntityValidationError('{= userEntityUpper =}', validation.name)
}
}
// Remove from downstream Prisma processing to avoid "Unknown arg" error
delete params.args._waspSkipDefaultValidations
delete params.args._waspCustomValidations
}
const result = next(params)
return result
})
Then, users can customize in the following ways:
// Runs just our default validations
const newUser = context.entities.User.create({
data: { email: '[email protected]', password: 'this will be hashed!' }
})
// Runs no validations (previous behavior)
const newUser = context.entities.User.create({
data: { email: '[email protected]', password: 'this will be hashed!' },
_waspSkipDefaultValidations: true, // defaults to false
})
// Runs just their validations
const newUser = context.entities.User.create({
data: { email: '[email protected]', password: 'this will be hashed!' },
_waspSkipDefaultValidations: true,
_waspCustomValidations: [
{ name: 'password should not be "password"', fn: data => data.password !== 'password' },
// More can be added below (note: it stops on first to return false)
]
})
You could also run them all by omitting _waspSkipDefaultValidations
in the final example, or setting it to false
.
from wasp.
from wasp.
Related Issues (20)
- Add more social providers to Wasp Auth HOT 1
- Revisit our client cache implementation
- Add support for FileStorageService as a concept / declaration HOT 5
- Prefixing an entity with Prisma field type leads to an incorrect schema HOT 4
- Revisit types exported from the SDK
- Explore ways to check package.json `exports` paths
- Run headless tests on `waspc/examples/todoApp`
- Make sure we log OAuth errors in the server console HOT 1
- Replace `superjson` with a generated serialization layer
- Make Wasp more robust (fewer `wasp clean` calls) HOT 2
- User defined routes can override `/oauth/callback` and break OAuth flow
- In the docs, mention early that `wasp clean` is a good way to fix weird situations
- Automatic Crud Override Issue HOT 1
- Provide a way to user for populating user as part of another Prisma entity HOT 1
- In Auth docs, advise how to deal with User data (storing it in User object vs fetching from Auth -> Identities)
- Make `release` default branch
- Websocket throws "Unknown Session ID" when trying to connect
- Add gpt4-o to Mage
- Make Wasp's warning to migrate the dev database more prominent
- Make TS SDK plan
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wasp.