top | item 18166974

(no title)

How do you take this from here to the next step?

Let's say I want to develop a multi user todo and I've followed the examples and now have some Users who log in entering a password.

Someone points out that I shouldn't be storing passwords in plain text so I want to store them hashed.

Despite there being hints in the documentation that this is possible (migrations shows the password hashed), it's not clear how to carry out this kind of change.

A walkthrough of making a change would help convey the use case much better than just templates of "this incantation produces this output".

discuss

klageveen|7 years ago

Well, in this particular case passwords are always hashed. So the platform deals with that for you. Other changes to the data model need a migration, which is covered here: https://alan-platform.com/pages/tuts/migration.html

CodesInChaos|7 years ago

It looks like you're using SHA256(username||password) in this example. Even if it's only an example, why use a homebrew password hashing scheme based on an unsuitable hash function and bad ad-hoc salt handling, instead of a strong standard password hash with built in salt handling? And what code/specification is required to use a secure algorithm, like bcrypt with a random salt?

People often copy from such tutorials and will then end up with insecure password storage.

WorkLifeBalance|7 years ago

Where is the definition of the password being hashed? The tutorial defines it as text:

/* 'Users': collection { 'Password': text }*/

How does the platform know to hash that? Is it looking for magic property names?

gcb0|7 years ago

the goal is to "step in when excell starts to get in the way"

I doubt they will ever care about any of that. a "side loaded application" will likely be the answer to most of those comments.

klageveen|7 years ago

There is a lot the platform can do by itself, but I think you grasped it well enough. The side loaded apps are definitely the escape hatch to enable things it doesn't cover (yet).