在 nodejs 中创建安全令牌

Question

. Answers to this question are eligible for a +50 reputation bounty. Bounty grace period ends in 3 hours . user2675468 is looking for an .

I have a json with the date:

{
  password: 'mySecretPwd',
  validUntil: dayjs().add(1, 'hour').toDate(),
  userId: '29038492132'
}

Now I want to create something like a magic link (myUrl/). When the person is clicking on the link it has to open a webpage and the user has to write their password into a textfield. After submit it sends a request with the user input and the token from the link. The server then checks whether the input is equal to the user input in the token and validate the user or not.

Now my question is how to achieve that. My code looks like that:

const crypto = require('crypto')

const algorithm = 'aes-256-ctr'
const secretKey = process.env.JWT_TEST_RESULT_SECRET

export const encrypt = (text) => {
  const iv = crypto.randomBytes(16)

  const cipher = crypto.createCipheriv(algorithm, secretKey, iv)

  const encrypted = Buffer.concat([cipher.update(text), cipher.final()])

  return {
    iv: iv.toString('hex'),
    content: encrypted.toString('hex')
  }
}

Because I need the iv for decoding, I would create the link like that: myUrl/<content>_<iv>

Is that a good and secure approach or not?

I hope you have some input. THANKS for that

Answer 1

I assume you want to implement 2fa into your project.

for 2fa authentication you would reset your user's password whenever they try to log in then send them a token as a response and save it in your project memory (in a variable or your state management).

for achieving it this way (not storing the token) it's better if you mail them after they ask to login, (you can use SendGrid for that) a link they can click on and insert their password and of course along with their new password as well (I suggest you consider either only using a token with a static password or only sending them a password). like:

hi dear user, your new password is: NEW_PASSWORD, insert your password in the link below: YOUR_FRONT_END.com/insert-password/?token=NEW_TOKEN&username=USERNAME (I suggest you put an expiration time of 2 min for the token)

in the front end we are looking for the token and the username in the query in nuxt.js for example you can access the items in the query by writing this.$route.query.YOUR_DESIRED_ITEM_IN_QUERY.

if we got our desired item in the query we ask the user to insert their password, else we redirect them to the login page.

after they insert the password we send the username, password & token to the backend to validate them.

for validating password & hashing it:

I would consider using bycrypt . since it is easy to use and you want to expire your password every 1 hour (which I recommend for 2 min). there is no need for something more complex.

but if you want to have a static password (and you want it to be as secure as it gets) for your users that won't change over time unless the users themselves update it, I suggest you don't store the password(even the hashed version of it) in the database.

for achieving that you must hash unchangeable data from the user (like the id) with your password as the key and store that hashed data in the database, this way even if the hashed data you've stored gets decrypted the attacker won't have access to the password, instead they would get the id.

FIRST STEP: convert your password to base 32. (you are going to use your password as your key latter on),

function convertPassword (secretKey, password) {
    
        if(!password.length || password.length > 32){
            return false;
        }
    
        if(secretKey.length !== 32) {
            return false;
        }
    
        return`${secretKey.split('').splice(password.length).join('')}${password}`;
        
    }

STEP 2: encryption

import {randomBytes, createCipheriv} from "crypto";    
function encrypt (textToEncrypt, secretKey) {
    
        if(secretKey.length !== 32){
            return false
        }
    
        const cipher = createCipheriv('aes-256-ctr', secretKey, randomBytes);
    
        const encrypted = Buffer.concat([cipher.update(textToEncrypt), cipher.final()]);
    
        return  `${randomBytes.toString('hex')}:${encrypted.toString('hex')}`
    
    }

in this step you pass user id as the "textToEncrypt" & converted password as "secretKey".

and finally the LAST STEP: decryption

import {createDecipheriv} from "crypto";
    function decrypt (encryptedText, secretKey, id) => {
        
        if(secretKey.length !== 32){
            return false
        }

        const splicedHash = encryptedText.split(':')
    
        const hashIv = splicedHash[0]
        const hashContent = splicedHash[1]
    
        const decipher = createDecipheriv('aes-256-ctr', secretKey, Buffer.from(hashIv, 'hex'));
    
        const decrypted = Buffer.concat([decipher.update(Buffer.from(hashContent, 'hex')), decipher.final()]);
    
        const result = decrypted.toString();
        
        return result === id;
    }

encryptedText is the text you've stored into your database, secretKey is the password that user has inserted and you've ran through your convert password function and id is the user id that you have used to encrypt. this function returns true if the password is valid and false if its not.

PS: if your project doesn't require THAT much security i'd still suggest you use bycrypt