Tutorial: Implementing Models

Integrating Models
Extending PassportJS

In our previous tutorial we statically coded a set of user credentials in our API but this will not suffice for a real-world application.  In a true back-end application we would be required to make use of a data source with which to retrieve and verify credentials and profile information.

Storing sensitive information on disk in mechanisms such as databases present challenges as to the security of the information.  Whilst there are many information security mechanisms available at a price our basic API will make use of password hashing to protect at least the user’s password.

A Note About PBKDF2

The world has long moved on from password schemes such as MD5 and its surprising to see how many applications still make use of this hashing scheme when storing passwords in databases.

With MD5 an attacker can crack passwords at a rate of billions per second by using pre-computed hash tables or brute-force attacks because there is nothing in the way of defense capabilities to prevent this from happening.  All one needs is to compute a password to match the hash retrieved from the database and one will have a usable password.

PBKDF2 (Password-Based Key Derivation Function 2) is a significantly stronger approach which makes use of a long random salt value and several rounds of encryption.  This has two immediate benefits.  Firstly by making use of a random salt value per password hash tables and dictionaries are rendered obsolete as these are only effective against known vectors.  Secondly by using several iterations or rounds of encryption, up to a million in some cases, an attacker would need to spend an inordinate amount of time per brute-force attempt on each password.

Consequently it will take significantly longer for an attacker to force a working password using PBKDF2 than other encryption mechanisms such as MD5 or SHA.

In addition to a significantly improved password hashing mechanism we also extend the API by making use of an adapter-based ORM.  In our implementation we will make use of Waterline which is an excellent API providing adapter-based access to various data sources.  This is greatly beneficial as it means the same routines and procedural code in our application will provide us with access to data sources such as MySQL, Postgres, Oracle and other engines purely by making use of the adapters.

Up Next: Implementing the Model

Pages: 1 2 3 4 5

Written by YourAPIExpert