encrypt logto passwords clientside

[kyrregjerstad]

No description provided.

[github-actions]

COMPARE TO master

Total Size Diff 📈 +7.58 KB

Diff by File

Name	Diff
packages/console/src/containers/ConsoleContent/Sidebar/hook.tsx	📈 +190 Bytes
packages/core/src/index.ts	📈 +330 Bytes
packages/core/src/middleware/koa-security-headers.ts	📈 +336 Bytes
packages/core/src/routes/experience/verification-routes/password-verification.ts	📈 +13 Bytes
packages/core/src/utils/password-decryption.ts	📈 +3.5 KB
packages/experience/package.json	📈 +64 Bytes
packages/experience/src/constants/env.ts	📈 +109 Bytes
packages/experience/src/hooks/use-encryption.ts	📈 +2.74 KB
packages/experience/src/hooks/use-password-sign-in.ts	📈 +300 Bytes
packages/experience/src/pages/SignIn/index.tsx	📈 +89 Bytes
packages/experience/src/utils/crypto.ts	📈 +662 Bytes
packages/experience/vite.config.ts	📈 +108 Bytes
packages/schemas/src/types/interactions.ts	📈 +273 Bytes
pnpm-lock.yaml	📈 +145 Bytes

[gemini-code-assist]

Summary of Changes

Hello @kyrregjerstad, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements client-side encryption for Logto passwords. It introduces new utilities and hooks for encrypting passwords using RSA-OAEP with a server-provided public key and seed on the client, and corresponding server-side logic to decrypt these passwords using a private key. The API payload for password verification is updated to accommodate the encrypted password and seed. This enhances security by preventing plain-text password transmission.

Highlights

• Intent: This pull request aims to enhance security by implementing client-side encryption for Logto passwords. Passwords will now be encrypted on the client before being sent to the server, preventing them from being transmitted in plain text.
• Key Changes: 1. Client-side Encryption Logic: A new React hook (useEncryption) and utility (src/utils/crypto.ts) are introduced in packages/experience. The hook fetches the server's RSA public key and a unique seed, then uses node-forge to encrypt the password (concatenated with the seed) before submission.

2. Server-side Decryption Logic: A new utility (src/utils/password-decryption.ts) is added to packages/core. This utility uses node:crypto to decrypt the incoming encrypted password using a shared RSA private key and validates the decryption using the provided seed.
3. API Payload Update: The PasswordVerificationPayload in packages/schemas is updated to include the encryptedPassword and the seed.
4. Password Verification Flow: The password-verification.ts route in packages/core is modified to use the new decryption utility before processing the password.
5. Dependency Updates: node-forge and its types are added to packages/experience/package.json and pnpm-lock.yaml.
6. Local Development Configuration: http://localhost:3001 is added to allowed security headers in koa-security-headers.ts, likely to support a new local www app endpoint for fetching encryption keys.

• Impact: This change significantly improves the security posture by ensuring that sensitive user passwords are encrypted end-to-end, reducing the risk of interception in transit. It introduces new client-side and server-side components to manage this encryption and decryption process.
• Reviewer Notes: Reviewers should pay close attention to the correct implementation of RSA-OAEP encryption/decryption, the secure handling and loading of the private key on the server, and the seed validation mechanism. Also, verify the integration points between the client-side encryption hook and the password sign-in flow, as well as the updated API payload and server-side decryption.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces client-side password encryption, a significant security enhancement. The implementation looks solid, but there are a few critical areas that need attention, particularly around configuration and logging practices. Addressing these will make the feature more robust and secure.