Symfony Rest API, WSSE and Bcrypt

0
votes

I have a Symfony 2.7 installation with FosUserBundle (users), FosRestBundle (API) and NelmioCorsBundle (CORS). I followed some guides which were written at a (recent if I understand well) time where FosUserBundle was using SHA512 with a salt for passwords encryption.

I have a working WSSE server on my Symfony, and I'm trying to make requets from a Javascript client in a secure way. With the old "SHA15 + salt" way, I see how to do it : a public api for getting the salt on the client side, on we recreate the encrypted password "as in the database" before sending it via WSSE header. I think this is also good for keeping the password in cache (better than a non encrypted password).

But since bcrypt have a built in salt, how can I generate the encrypted password in the client side ? Of course one solution would be stop using bcrypt and start using SHA512 + salt but less secure; and other solution would be something like oauth2 and HTTPS, but I would like to find a secure solution without HTTPS for now.

Any clue ?

Thanks !

1
javascriptsymfonyencryptionbcryptwsse

1 Answers

0
votes

If you are able to generate encrypted passwords on the client side that match what your server has then you may as well not use passwords at all. No matter how you do it, it going to be insecure.

Take a look at a token based approach. Plenty of examples out there.

  1. Client sends a token request with something like:
  2. POST /tokens (user name and password as payload, https only please)
  3. Server authenticates the user and returns a token (possibly a json web token)
  4. Client sends the token back on each request, usually in a header