BREAKING: Include hashParameters in password and nonce tokens. This change should be a mostly backwards compatible change but is marked breaking because it is a data structure change. However, if a password token does not have a hashParameters property, it is assumed to be bcrypt and is internally modified to add matching hashParameters before being returned. If a nonce token does not have a hashParameters property, it is auto-expired. Password / nonce hashing must be performed on the client, so the hash parameters are new information to be sent to the client so it can produce a matching hash.
BREAKING: If client registration was used in an application previously, clients will need to re-register because prefixed hashes are no longer used internally (to eliminate unnecessary complexity).
BREAKING: Store fast hashes of token values as binary data instead of as base64 strings. This change should not require any database migration and the code handles old values retrieved from the database that are strings.
BREAKING: Machine-entry style nonces are no longer slow hashed because it is unnecessary complexity that does not add security. Nonces generated this way and entered this way should be submitted as challenge to be verified, not hash.
Use of prefixed hashes is now deprecated and its configuration option (hashPrefix) will be removed in a future version. It is an unnecessary complexity that does not add security (given the other design choices).

Removed

BREAKING: Remove database explain option from most public APIs.
BREAKING: Remove challenge type. This type was never implemented and can be confused with the option challenge which specifies an unhashed value to be provided when verifying a totp token.
BREAKING: Remove bcrypt from configuration and as an internally-used slow hash function. Use pbkdf2 instead because it is widely available in clients, especially web browsers -- which is where most slow hashing occurs given the current design.

Keywords

bedrock

FAQs

What is @bedrock/authn-token?

Is @bedrock/authn-token popular?

Is @bedrock/authn-token well maintained?

Package last updated on 21 May 2022

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

@bedrock/authn-token

bedrock-authn-token

10.0.0 - 2022-05-21

Changed

Removed

Keywords

Related posts

Supply Chain Attack on Rspack npm Packages Injects Cryptojacking Malware

Skuld Infostealer Returns to npm with Fake Windows Utilities and Malicious Solara Development Packages