password in raw to the API
Answered
Silver carp posted this in #help-forum
Silver carpOP
Hi,
I want add auth in my NextJs app.
I'm using prisma/sqlite and I don't want to use next auth js (actually).
Following problems with the client/server aspects of nextjs. The main solution I've found is to use the API routes. I've managed to set this up, but I don't really like the fact of POSTing the password in clear text.
I use salt encryption, which I store in a database.
Is it normal to pass the password in clear? I was thinking of using an asymmetric protocol (maybe it's overkill)?
Sorry for my broken english !
I want add auth in my NextJs app.
I'm using prisma/sqlite and I don't want to use next auth js (actually).
Following problems with the client/server aspects of nextjs. The main solution I've found is to use the API routes. I've managed to set this up, but I don't really like the fact of POSTing the password in clear text.
I use salt encryption, which I store in a database.
Is it normal to pass the password in clear? I was thinking of using an asymmetric protocol (maybe it's overkill)?
Sorry for my broken english !
Answered by B33fb0n3
yes it is normal. The password should be encrypeted by the server and not by the client. So when doing auth the client send it in clear to the api endpoint, the server encrypt it and compare it against the databased hashed password. If it matches, the user is has auth
5 Replies
@Silver carp Hi,
I want add auth in my NextJs app.
I'm using prisma/sqlite and I don't want to use next auth js (actually).
Following problems with the client/server aspects of nextjs. The main solution I've found is to use the API routes. I've managed to set this up, but I don't really like the fact of POSTing the password in clear text.
I use salt encryption, which I store in a database.
Is it normal to pass the password in clear? I was thinking of using an asymmetric protocol (maybe it's overkill)?
Sorry for my broken english !
yes it is normal. The password should be encrypeted by the server and not by the client. So when doing auth the client send it in clear to the api endpoint, the server encrypt it and compare it against the databased hashed password. If it matches, the user is has auth
Answer
Silver carpOP
Thanks a lot for you answer!
sure thing
Make sure to use HTTPS. POSTing cleartext is covered by the HTTPS encryption.
@Simon Knittel 🍹 Make sure to use HTTPS. POSTing cleartext is covered by the HTTPS encryption.
Silver carpOP
Good point ! I completely forgot this things.
I'm relieved, now !
I'm relieved, now !