Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
redux-persist-transform-encrypt
Advanced tools
Encrypt your Redux store.
redux-persist-transform-encrypt
must be used in conjunction with redux-persist
, so make sure you have that installed as well.
yarn add redux-persist-transform-encrypt
npm install redux-persist-transform-encrypt
import { persistReducer } from 'redux-persist';
import { encryptTransform } from 'redux-persist-transform-encrypt';
const reducer = persistReducer(
{
transforms: [
encryptTransform({
secretKey: 'my-super-secret-key',
onError: function (error) {
// Handle the error.
},
}),
],
},
baseReducer
);
Asynchronous support was removed in v3.0.0, as it was never fully supported and is not able to be implemented correctly given the current constraints that redux-persist
imposes on transforms. See #48 for more details.
The onError
property given to the encryptTransform
options is an optional
function that receives an Error
object as its only parameter. This allows
custom error handling from the parent application.
The secretKey
provided to encryptTransform
is used as a passphrase to generate a 256-bit AES key which is then used to encrypt the Redux store.
You SHOULD NOT use a single secret key for all users of your application, as this negates any potential security benefits of encrypting the store in the first place.
You SHOULD NOT hard-code or generate your secret key anywhere on the client, as this risks exposing the key since the JavaScript source is ultimately accessible to the end-user.
If you are only interested in persisting the store over the course of a single session and then invalidating the store, consider using the user's access token or session key as the secret key.
For long-term persistence, you will want to use a unique, deterministic key that is provided by the server. For example, the server could derive a hash from the user's ID and a salt (also stored server-side) and then return that hash to the client to use to decrypt the store. Placing this key retrieval behind authentication would prevent someone from accessing the encrypted store data if they are not authenticated as the user.
[5.1.1] - 2023-12-14
default
to the end of exports
in package.json
FAQs
Encrypt your Redux store.
The npm package redux-persist-transform-encrypt receives a total of 8,614 weekly downloads. As such, redux-persist-transform-encrypt popularity was classified as popular.
We found that redux-persist-transform-encrypt demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.