Authentication
We use bcrypt algorithm for authentication.
Libraries
Procedures
During registration, we send hashed password to server instead of the plain password. Since sha256 is used for client-side encryption, we must not use sha256 here to avoid exposing client encryption key to server (sha256 is used to generate client-side encryption key). Although we won't store it, but we must prevent any possibility for data leak.
For example, we can use sha512.
To be more secure, we can hash password multiple times;
// pseudocode
const password = "xxx";
const hashedPass = sha512(password);
fetch("/api/register", {
username: username,
password: hashedPass,
});
The same for login. Login password must be hashed the same way before sending to server.
Then, on server side, we use bcrypt to hash the password again and store in database.
const salt = bcrypt.genSaltSync(saltRounds);
const hash = bcrypt.hashSync(sha256HashedPass, salt);
// store hash in DB
// compare
bcrypt.compareSync(sha256HashedPass, hashInDB);
Now, we can guarantee that user password can never be seen by the server, and can also be used for client-side encryption.