secure-remote-password-js
Advanced tools
This is a client and server implementation of 1Password's fantastic SRP library in TypeScript.
Bun is recommended.
SRP is a fascinating protocol. I highly recommend reading through 1Password's explainer to get familiar with its innerworkings and processes first.
This library uses RFC 5054 groups between 2048 and 8192 bits. 4096 and above are highly recommended. Any lower is unlikely to be secure for the near future.
On your client and server, agree on a group:
import { knownGroups } from "secure-remote-password-js";
const group = knownGroups[4096];
You'll need a Key Derivation Function (KDF) to convert your password into a secure format. While this library includes a simple KDF for testing, you should use a strong KDF like Argon2id, bcrypt, or scrypt in production.
@phi-ag/argon2 is a great library for Argon2 in TS.
import { argon2id } from "@phi-ag/argon2";
const x = argon2id.hash(password, salt);
Create an SRP client instance for both server and client sides:
import { SrpClient, knownGroups } from "secure-remote-password-js";
// On client side
const client = new SrpClient(knownGroups[4096], x, undefined, "client");
// On server side (using verifier)
const verifier = client.verifier(); // Generate this during registration
const server = new SrpClient(knownGroups[4096], verifier, undefined, "server");
Exchange ephemeral public keys between client and server:
// Client generates and sends A to server
const clientPublicA = client.ephemeralPublic();
// Server generates and sends B to client
const serverPublicB = server.ephemeralPublic();
// Each side sets the other's public key
client.setOthersPublic(serverPublicB);
server.setOthersPublic(clientPublicA);
Both sides can now generate the shared session key:
// On both client and server
const key = client.getKey(); // or server.getKey()
Finally, verify that both parties derived the same key:
// Server generates proof and sends to client
const serverProof = server.computeM(salt, username);
const serverIsLegit = client.goodServerProof(salt, username, serverProof);
// Client generates proof and sends to server
const clientProof = client.clientProof();
const clientIsLegit = server.goodClientProof(clientProof);
if (serverIsLegit && clientIsLegit) {
// Both parties have authenticated successfully
// The shared key can now be used for secure communication
}
FAQs
Unknown package
The npm package secure-remote-password-js receives a total of 0 weekly downloads. As such, secure-remote-password-js popularity was classified as not popular.
We found that secure-remote-password-js demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Four npm packages disguised as cryptographic tools steal developer credentials and send them to attacker-controlled Telegram infrastructure.
Security News
Ruby maintainers from Bundler and rbenv teams are building rv to bring Python uv's speed and unified tooling approach to Ruby development.
Security News
Following last week’s supply chain attack, Nx published findings on the GitHub Actions exploit and moved npm publishing to Trusted Publishers.