[BUG] - Profile login details in plaintext in cookies

[bigbeka]

Describe the bug
Looking into the dev console, I can see that profiles that are logged in have their IP, username and password saved in plaintext.

This is a very serious vulnerability. I am not sure if/what tasks there are to improve auth and security.

Expected behavior
I believe login session should be saved as token and not plaintext password.

[hkdeman]

Hey @bigbeka, thank you for using WhoDB!

Let us check this logging bug. We want to deliver the best security measures. Getting back to you in the next day!

[modelorona]

Hey hey, so @hkdeman and I discussed this during the last couple of days - originally the idea of storing the credentials in the cookies is so that the server would not be aware. We wanted to give the end user the control. Storing in plaintext is not ideal, I agree.

For the desktop versions, we transitioned to using a keyring to store credential information there - this works because it's still on the end user's side, there's not a distinction of remote server vs local, it's all local. If we were to implement server keyring storage for the web version, this would mean the server would have control of the credentials.

There's potential in encrypting the credentials client side and then decrypting on the server side, but this would still have to be stored in the browser's storage. Came across this https://armur.ai/website-security/client/client/client-side-storage-security/#5-secure-key-storage, would need to look into it to see what it's doing since I originally thought browsers didn't (yet) have access to hardware backed secure storage (article claims otherwise).

Ultimately we're just trying to find a solution that's usable, updateable, secure, and makes sense. We might implement several options, so users can decide based on what they feel is best for them, but for now we'll decide on one.

[bigbeka]

Hi @hkdeman and @modelorona thank you very much for looking into it! I don't have any knowledge or experience with these points, I am just a user, but happy to test and see where I can help. I will keep an eye out for other apps, where they have similar setups and you could look into implementing something. Would it be okay to keep the issue open for now? If anything comes up, I will update here.

[modelorona]

We appreciate you using WhoDB and giving us feedback, it's the best way to make the application better :) def keep this issue open until it gets resolved

[dhimanAbhi]

HI @modelorona , I would like to work on this issue, could you please assign this to me?

[modelorona]

Hi @dhimanAbhi thanks for your interest but this is one that @hkdeman and I have already started locally

[modelorona]

@dhimanAbhi however if you'd like to work on some other stuff, there are some desktop bugs discovered that are available tickets.

[dhimanAbhi]

@dhimanAbhi however if you'd like to work on some other stuff, there are some desktop bugs discovered that are available tickets.

@modelorona Sure, I’d love to work on those desktop bugs as well. Could you please point me to the relevant issues or tickets?