node.js authentication and data security
TRANSCRIPT
![Page 1: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/1.jpg)
Tim Messerschmidt Head of Developer Relations, International
Braintree
@Braintree_Dev / @SeraAndroid
Node.js Authentication and Data Security
#HTML5DevConf
![Page 2: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/2.jpg)
![Page 3: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/3.jpg)
3
That’s me
![Page 4: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/4.jpg)
![Page 5: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/5.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
+ Braintreesince 2013
![Page 6: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/6.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
1. Introduction_ 2. Well-known security threats 3. Data Encryption 4. Hardening Express 5. Authentication middleware 6. Great resources
Content
![Page 7: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/7.jpg)
![Page 8: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/8.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
The Human Element
![Page 9: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/9.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
1. 12345 2. password 3. 12345 4. 12345678 5. qwerty
bit.ly/1xTwYiA
Top 10 Passwords 2014
6. 123456789 7. 1234 8. baseball 9. dragon 10.football
![Page 10: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/10.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
superman batman
Honorary Mention
![Page 11: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/11.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
Authentication & Authorization
![Page 12: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/12.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
1. Introduction 2. Well-known security threats_ 3. Data Encryption 4. Hardening Express 5. Authentication middleware 6. Great resources
Content
![Page 13: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/13.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
OWASP Top 10 bit.ly/1a3Ytvg
![Page 14: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/14.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
1. Injection
![Page 15: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/15.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
2. Broken Authentication
![Page 16: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/16.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
3. Cross-Site Scripting XSS
![Page 17: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/17.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
4. Direct Object References
![Page 18: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/18.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
5. Application Misconfigured
![Page 19: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/19.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
6. Sensitive Data Exposed
![Page 20: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/20.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
7. Access Level Control
![Page 21: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/21.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
8. Cross-site Request Forgery CSRF / XSRF
![Page 22: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/22.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
9. Vulnerable Code
![Page 23: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/23.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
10. REDIRECTS / FORWARDS
![Page 24: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/24.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
1. Introduction 2. Well-known security threats 3. Data Encryption_ 4. Hardening Express 5. Authentication middleware 6. Great resources
Content
![Page 25: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/25.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
Hashing MD5, SHA-1, SHA-2, SHA-3
![Page 26: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/26.jpg)
http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/
![Page 27: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/27.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
ishouldnotbedoingthis
arstechnica.com/security/2015/09/ashley-madison-passwords-like-thisiswrong-tap-cheaters-guilt-and-denial
![Page 28: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/28.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
ishouldnotbedoingthis whyareyoudoingthis
arstechnica.com/security/2015/09/ashley-madison-passwords-like-thisiswrong-tap-cheaters-guilt-and-denial
![Page 29: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/29.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
ishouldnotbedoingthis whyareyoudoingthis justtryingthisout
arstechnica.com/security/2015/09/ashley-madison-passwords-like-thisiswrong-tap-cheaters-guilt-and-denial
![Page 30: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/30.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
ishouldnotbedoingthis whyareyoudoingthis justtryingthisout thebestpasswordever
arstechnica.com/security/2015/09/ashley-madison-passwords-like-thisiswrong-tap-cheaters-guilt-and-denial
![Page 31: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/31.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
Efficient Hashing crypt, scrypt, bcrypt, PBKDF2
![Page 32: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/32.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
10.000 iterations user system total MD5 0.07 0.0 0.07 bcrypt 22.23 0.08 22.31
md5 vs bcrypt
github.com/codahale/bcrypt-ruby
![Page 34: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/34.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
Salted Hashing algorithm(data + salt) = hash
![Page 35: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/35.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
1. Introduction 2. Well-known security threats 3. Data Encryption 4. Hardening Express_ 5. Authentication middleware 6. Great resources
Content
![Page 36: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/36.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
use strict
![Page 37: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/37.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
Regex owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
![Page 38: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/38.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
X-Powered-By
![Page 39: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/39.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
NODE-UUID github.com/broofa/node-uuid
![Page 40: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/40.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
GET /pay?amount=20¤cy=EUR&amount=1
HTTP Parameter Pollution
req.query.amount = ['20', '1'];
POST amount=20¤cy=EUR&amount=1
req.body.amount = ['20', '1'];
![Page 41: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/41.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
bcrypt github.com/ncb000gt/node.bcrypt.js
![Page 42: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/42.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
A bcrypt generated Hash $2a$12$YKCxqK/QRgVfIIFeUtcPSOqyVGSorr1pHy5cZKsZuuc2g97bXgotS
![Page 43: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/43.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
bcrypt.hash('cronut', 12, function(err, hash) { // store hash });
bcrypt.compare('cronut', hash, function(err, res) { if (res === true) { // password matches } });
Generating a Hash using bcrypt
![Page 44: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/44.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
CSURF github.com/expressjs/csurf
![Page 45: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/45.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
Using Csurf as middleware
var csrf = require('csurf'); var csrfProtection = csrf({ cookie: false });
app.get('/form', csrfProtection, function(req, res) { res.render('form', { csrfToken: req.csrfToken() }); });
app.post('/login', csrfProtection, function(req, res) { // safe to continue });
![Page 46: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/46.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
extends layout
block content h1 CSRF protection using csurf form(action="/login" method="POST") input(type="text", name="username=", value="Username") input(type="password", name="password", value="Password") input(type="hidden", name="_csrf", value="#{csrfToken}") button(type="submit") Submit
Using the token in your template
![Page 47: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/47.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
Helmet github.com/HelmetJS/Helmet
![Page 48: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/48.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
var helmet = require(‘helmet’); app.use(helmet.noCache()); app.use(helmet.frameguard()); app.use(helmet.xssFilter()); …
// .. or use the default initialization app.use(helmet());
Using Helmet with default options
![Page 49: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/49.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
Helmet for Koa github.com/venables/koa-helmet
![Page 50: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/50.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
Lusca github.com/krakenjs/lusca
![Page 51: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/51.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
var lusca = require('lusca');
app.use(lusca({ csrf: true, csp: { /* ... */}, xframe: 'SAMEORIGIN', p3p: 'ABCDEF', xssProtection: true }));
Applying Lusca as middleware
![Page 52: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/52.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
Lusca for Koa github.com/koajs/koa-lusca
![Page 53: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/53.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
1. Introduction 2. Well-known security threats 3. Data Encryption 4. Hardening Express 5. Authentication middleware_ 6. Great resources
Content
![Page 54: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/54.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
1. Application-level 2. Route-level 3. Error-handling
Types of Express Middleware
![Page 55: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/55.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
var authenticate = function(req, res, next) { // check the request and modify response };
app.get('/form', authenticate, function(req, res) { // assume that the user is authenticated }
// … or use the middleware for certain routes app.use('/admin', authenticate);
Writing Custom Middleware
![Page 56: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/56.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
Passport github.com/jaredhanson/passport
![Page 57: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/57.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
passport.use(new LocalStrategy(function(username, password, done) { User.findOne({ username: username }, function (err, user) { if (err) { return done(err); } if (!user) { return done(null, false, { message: 'Incorrect username.' }); } if (!user.validPassword(password)) { return done(null, false, { message: 'Incorrect password.' }); } return done(null, user); }); }));
Setting up a passport strategy
![Page 58: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/58.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
// Simple authentication app.post('/login', passport.authenticate(‘local'), function(req, res) { // req.user contains the authenticated user res.redirect('/user/' + req.user.username); });
// Using redirects app.post('/login', passport.authenticate('local', { successRedirect: ‘/', failureRedirect: ‘/login’, failureFlash: true }));
Using Passport Strategies for Authentication
![Page 59: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/59.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
NSP nodesecurity.io/tools
![Page 60: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/60.jpg)
![Page 61: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/61.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
1. Introduction 2. Well-known security threats 3. Data Encryption 4. Hardening Express 5. Authentication middleware 6. Great resources_
Content
![Page 62: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/62.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
Passwordless Auth medium.com/@ninjudd/passwords-are-obsolete-9ed56d483eb
![Page 63: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/63.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
OWASP Node Goat github.com/OWASP/NodeGoat
![Page 64: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/64.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
Node Security nodesecurity.io/resources
![Page 65: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/65.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
Fast Identity Online fidoalliance.org
![Page 66: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/66.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
Security Beyond Current Mechanisms
1. Something you have 2. Something you know 3. Something you are
![Page 67: Node.js Authentication and Data Security](https://reader034.vdocuments.us/reader034/viewer/2022051521/587199551a28ab044e8b5573/html5/thumbnails/67.jpg)
@Braintree_Dev / @SeraAndroid#HTML5DevConf
Favor security too much over the experience and you’ll make the website a pain to use.
smashingmagazine.com/2012/10/26/password-masking-hurt-signup-form