WebFund 2015W Lecture 22
Video
The video from the lecture given on Monday, March 30, 2015 is now available.
Notes
The tls-notes application
Some changes in the application
- The application now uses HTTPS as the protocol.
- You can log in with username as in the previous ajax-notes, however now you need a password as well.
- Visually, the app is different. The buttons look “prettier”. That is because the app uses Bootstrap.
- Bootstrap is a toolkit which can be used to help improve your application.
- In order to use Bootstrap, you will need to include a reference to the script in the head of the layout template.
- With Bootstrap linked, you can apply CSS classes to elements in your pages to make them look nicer.
- There is no longer an edit button - note names are now links that go to the edit note view.
- Change username is not working (fixing this is a requirement of the assignment).
- There is another collection being stored in the database, the users collections.
- Markup is basically the same with mild changes to notes.js adding divs and classes.
- A ConvertNote function is added to notes.js in order to escape HTML tags and parse links when you insert into the notes.
Basically the assignment consists of a lot of debugging the code to fix it the problems in the version of the app provided.
Storing passwords
How do you store password on the server? – In MongoDB, within the users collection, all usernames and passwords are stored. However; the password is hashed. To check a password, you hash some input provided and compare it to the hashed value that is stored. This is important because if someone hacks into your website, you do not want them to have your password and they cannot get it without figuring out the hash.
You should never do the hashing on the client side, the server always does it. This is to prevent others from seeing what is done as this will reveal information to them about your hashing process.
Inside the /register route of the tls-notes app, we can see a checkUsername function that uses bcrypt.hash. This takes an input string and hashes it. Before you call bcrypt.hash you must call bcrypt.gensalt. The salt is used to customize the hashed password. If you did not use a salt, a hacker can look up tables of hashed passwords but with the salt it changes the resultant hash value of the input string which makes it more secure. – We will not be tested on this, it is for personal interest.
In the saveHash function in index.js you use an update function when adding a new user because you first check if the user already exists and if they do it will never overwrite an account, it ‘updates it’.
It is important to have a secure connection when working with passwords. If the connection is not secure, anyone can see your password if they look at the data you are sending to the server. Using password hashing without using a secure connection is insufficient.
If you are interested in hashing and security against hacking – look up “rainbow tables”.