I am coding up the security for a website in express.js and postgresql db. Now I have been reading about salting and hashing and I have the code set up with pdkdf2 using the crypto module, but my issue is how I will structure the account table in the db. What If i would create a login role which will have an MD5 encrypted format for the password, which password will be the derived key from the salt n hash "procedure". Would that be an overkill of protection?
There will be a table which will be as follows: UID (the ID from the login role), SALT , HASH. And also the loginrole.
So on a try for authentication, the code will try to login as that role, first by getting the assosiated UID, generating the salt n hashed password for the password provided and auth on a DB level.
Hope I am making some sense..
var usrSalt = crypto.randomBytes('128').toString('base64');
//text , salt ,iterations , keylen , callback
crypto.pbkdf2(usr, usrSalt, 10000, 512, function (err, derivedKey) {
if (err) { console.log(err); }
else {
usr = derivedKey;
next();
}
});
P.S Would a pgcrypto module be better again in the same scenario, just by removing the code on node.js.
This answer is at a higher level, not the low level of actual code.
"Overkill of protection" is relative to your project. The 10000 iterations will take some amount of time and MD5 will provide some level of encryption. Both might be suitable for your project, and will have to rank as a priority compared to other aspects (speed, features, etc.).
To keep speaking in generalities, some level of good security practices will protect some percentage of your user data, and with a determined attacker some other percentage might "always" be compromised.
The choice for
pgcrypto
is similar. If it is as sufficient as the code you plan to write (it is defacto more tested than your current code), its handling will be on your DB server. Good to keep it off the Node server? Easy to maintain? Less work? "Better" will be relative to your project.Salting and hashing passwords is not overkill, it is the absolute minimum you should do if you cannot avoid dealing with passwords entirely.
It's hard to figure out what you mean with the second part, regarding this being used to auth on a DB level. You usually either do application level authentication using your own usernames/passwords, or you create real users in PostgreSQL and let PostgreSQL authenticate them by simply passing their password and username through to PostgreSQL when you create a connection.
There's an intermediate way, which you might be trying to get at. Authenticate the user yourself, then use
SET SESSION AUTHORIZATION
to have your PostgreSQL database session "become" that user. It's a bit of a specialized approach, and not one I tend to use most of the time. It is mostly used by connection poolers.See also: