top | item 18168071

(no title)

Specifying something as password hashing as (sha256? salted sha256?) without telling it to seems like magic to me.

So to clarify, it's this password: declaration which tells the framework to hash the input?

    users
        dynamic :  . 'Users'
        password : . 'Password'

    interfaces

    root {

    }

    numerical-types

Is this defined anywhere within the project or is this framework magic? (Or "glue" if you don't like the term magic). password is not mentioned again anywhere in the documentation, I'd like to understand how the framework knows to hash the input.

discuss

klageveen|7 years ago

The line `password : . 'Password'` points at the password property, which tells the framework to hash it. What kind of hashing isn't something you should have to specify or worry about. It's a strong salted hash and we'd like to make it even better at some point, but that's firmly in the realm of the framework implementation.

TheOtherHobbes|7 years ago

This parses to "Just trust us to get this right."

I think you may have some issues persuading customers that's a wholly valid approach, especially when you're dealing with security and data integrity, GDPR, and so on.