Search code examples
passwordssession-storagegun

gun.user.recall() stores password as plain text in sessionStorage without encryption

I want to apply gun.user in my project.

When I store the user in sessionStorage using user.recall(opt),

This code in sea.js stores password in tmp without encryption.

Is it okay? or..

Should I encrypt password before calling .auth?

Here is my code.

jq('#up').on('click', (e) => {
    let form = check();
    if(!form){ return }
    S.user.create(form.alias, form.pass, (ack) => {
        if(ack.err){ return S.tell(ack.err) }
        check.up = true;
        S.user.auth(form.alias, form.pass, logined);
    });
});

jq('#in').on('click', (e) => {
    let form = check();
    if(!form){ return }
    S.user.auth(form.alias, form.pass, logined);
});

let logined = (ack) =>{
    if(ack.err){ return S.tell(ack.err) }
    S.user.recall({sessionStorage: true});
}

+

I found the document about user.create().

Passphrase that will be extended with PBKDF2 to make it a secure way to login.

However, there is plane text in my session storage.

enter image description here

gun version is 0.2019.515.

Solution

  • @huhsame , great concern! (And btw, incredible GUN AR/VR demos on your twitter!)

    Browsers require domain-based security which sadly limits P2P security.

    Unfortunately, sessionStorage is the safest best browser option:

    • Credentials are not shared with servers (like cookies do).
    • It keeps a user logged in on refresh.
    • It deletes the credentials if you close the tabs.

    Between page loads, encrypting the password is a good idea but the problem is, to keep the user logged in, the decryption key also has to be stored. :(

    Storing credentials in localStorage is unsafe, which is why sessionStorage is better.

    Warning! Unless you use a Browser Extension (below) or Browsers adopt better solutions, an XSS leak can compromise credentials from sessionStorage - but even if you disable it, credentials can be pulled from in-memory without an Extension to protect accounts.

    PBKDF2 is used during the login process, not session management - again, it could be used there as well, but has the same limitations as above.

    Even sessionStorage does not work well for keeping users logged in.

    As a result, you should consider other solutions. I've written more about other options here:

    Keeping a Gun DB user authenticated during a session

    Better Security

    For the best security, users would sadly need to install a browser extension, like our http://party.lol tool, until Browsers adopt this type of security natively, or offer better user-centric session management.