When I was working to override some of backend apis I noticed that the user password was available ...

.gidgiddoni

08/31/2022, 4:07 AM

When I was working to override some of backend apis I noticed that the user password was available in the

input

object in plaintext. I'm not a cryptography expert by any means but I was under the impression that passwords should be hashed on the FE and then the hash is sent to the backend. Isn't sending the password to the backend, even when using TLS, not best practice?

rp_st

08/31/2022, 4:08 AM

Hey!

rp_st

08/31/2022, 4:08 AM

Not necessarily. Hashing password on the frontend would disable you to enforce password strength on the backend. So there are pros and cons.

rp_st

08/31/2022, 4:09 AM

If you want to hash it on the frontend though, you can. Just override the sign up / sign in functions on the frontend to hash the password before calling the original implementation

.gidgiddoni

08/31/2022, 4:13 AM

Oh that's a good point I hadn't considered.

.gidgiddoni

08/31/2022, 4:37 AM

So is the password ever hashed on the backend in the original implementation or is that left for the developer to decide?

rp_st

08/31/2022, 4:48 AM

it is hashed - of course. When it's sent to the core, the core hashes it before storing in db.

rp_st

08/31/2022, 4:48 AM

and the password strength validation happens in backend SDK level

.gidgiddoni

08/31/2022, 6:19 PM

Gotcha cool. thanks for clarifying

Previous Next

SuperTokens.com

SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).