About The AuthorDarshan Somashekar is a technology entrepreneur who has built & sold two startups. His latest fun project is a solitaire site called Solitaired. Previously, … If you’re anything like me, you’ve forgotten your password more than once, especially on sites you haven’t visited in a while. You’ve probably also seen, and/or been mortified by, reset password emails that contain your password in plain text. Unfortunately, the reset password workflow gets short shrift and limited attention during application development. This not only can lead to a frustrating user experience, but can also leave your application with gaping security holes. We’re going to cover how to build a secure reset password workflow. We’ll be using NodeJS and MySQL as our base components. If you’re writing using a different language, framework, or database, you can still benefit from following the general “Security Tips” outlined in each section. A reset password flow consists of the following components:
Besides Node, Express & MySQL, we’ll be using the following libraries:
Sequelize is a NodeJS database ORM that makes it easier to run database migrations as well as security create queries. Nodemailer is a popular NodeJS email library that we’ll use to send password reset emails. Security Tip #1Some articles suggest secure password flows can be designed using JSON Web Tokens (JWT), which eliminate the need for database storage (and thus are easier to implement). We don’t use this approach on our site, because JWT token secrets are usually stored right in code. We want to avoid having ‘one secret’ to rule them all (for the same reason you don’t salt passwords with the same value), and therefore need to move this information into a database. InstallationFirst, install Sequelize, Nodemailer, and other associated libraries:
In the route where you want to include your reset workflows, add the required modules. If you need a refresher on Express and routes, check out their guide.
And configure it with your email SMTP credentials.
The email solution I’m using is AWS’s Simple Email Service, but you can use anything (Mailgun, etc). If this is your first time setting up your email sending service, you’ll need to spend some time configuring the appropriate Domain Keys and setting up authorizations. If you use Route 53 along with SES, this is super simple and done virtually automatically, which is why I picked it. AWS has some tutorials on how SES works with Route53. Security tip #2To store the credentials away from my code, I use dotenv, which lets me create a local .env file with my environment variables. That way, when I deploy to production, I can use different production keys that aren’t visible in code, and therefore lets me restrict permissions of my configuration to only certain members of my team. Database SetupSince we’re going to be sending reset tokens to users, we need to store those tokens in a database. I am assuming you have a functioning users table in your database. If you’re using Sequelize already, great! If not, you may want to brush up on Sequelize and the Sequelize CLI. If you haven’t used Sequelize yet in your app, you can set it up by running the command below in your app’s root folder:
This will create a number of new folders in your setup, including migrations and models. This will also create a config file. In your config file, update the Let’s use Sequelize’s CLI tool to generate the database table for us.
This table has the following columns:
In the background, sequelize-cli is running the following SQL query:
Verify this worked properly using your SQL client or the command line:
Security Tip #3If you’re not currently using an ORM, you should consider doing so. An ORM automates the writing and proper escaping of SQL queries, making your code more readable and more secure by default. They’ll help you avoid SQL injection attacks by properly escaping your SQL queries. Set Up Reset Password RouteCreate the get route in user.js:
Then create the POST route, which is the route that is hit when the reset password form is posted. In the code below, I’ve included a couple of important security features. Security Tips #4-6
You’ll see a User variable referenced above — what is this? For the purposes of this tutorial, we’re assuming you have a User model that connects to your database to retrieve values. The code above is based on Sequelize, but you can modify as needed if you query the database directly (but I recommend Sequelize!). We now need to generate the view. Using Bootstrap CSS, jQuery, and the pug framework built into the Node Express framework, the view looks like the following:
Here’s the form on the page: At this point, you should be able to fill out the form with an email address that’s in your database, and then receive a reset password email at that address. Clicking the reset link won’t do anything yet. Set Up “Reset Password” RouteNow let’s go ahead and set up the rest of the workflow. Add the Sequelize.Op module to your route:
Now let’s build the GET route for users that have clicked on that reset password link. As you’ll see below, we want to make sure we’re validating the reset token appropriately. Security Tip #7:Ensure you’re only looking up reset tokens that have not expired and have not been used. For demonstration purposes, I also clear up all expired tokens on load here to keep the table small. If you have a large website, move this to a cronjob.
Now let’s create the POST route which is what is hit once the user fills out their new password details. Security tip #8 through 11:
This is what it should look like: Add The Link To Your Login PageLastly, don’t forget to add a link to this flow from your login page! Once you do this, you should have a working reset password flow. Be sure to test thoroughly at each stage of the process to confirm everything works and your tokens have a short expiration and are marked with the correct status as the workflow progresses. Next StepsHopefully this helped you on your way to coding a secure, user-friendly reset password feature.
(dm, yk, il)
Website Design & SEO Delray Beach by DBL07.co source http://www.scpie.org/creating-secure-password-flows-with-nodejs-and-mysql/ Via https://scpie1.blogspot.com/2020/03/creating-secure-password-flows-with.html
0 Comments
Leave a Reply. |