Hey Everyone,
I just want to see if I'm using a decent method of storing passwords in an AWS database.
The passwords are generated using PBKDF2, and stored in my database as a salt, and a hash like so:
This database isn't securing any sort of financial or ultra sensitive data - but i obviously do not want it to just be freely accessible.
Here is the code im using in my retool app for verifying the user/password
let pass = form1.data.password
let user = form1.data.username
let result = await Login.trigger({additionalScope:{"username":user,"password":pass}})
let salt = result.pword_salt[0]
let hash = result.pword_hash[0]
console.log(pass,user,result)
var key = CryptoJS.PBKDF2(pass, salt, {
keySize: 128 / 32
});
if(key.words.toString() == JSON.parse(hash).toString()){
utils.showNotification({title:"Success",description:"Logged In!",notificationType:"success",duration:1})
localStorage.setValue("loggedIn",true)
checkAccess.trigger()
}else{
utils.showNotification({title:"Invalid Password",description:"Password Incorrect",notificationType:"error",duration:5})
}
Just looking for some feedback, or suggestions, or glaring issues!
the biggest one i see is that if a user knows the local storage key im using - they could just go in the console on the page and set the 'loggedIn' value to true, right? what would be a better way to track that they have logged in, for example if they refresh the page?
Thanks!