I finally have to ask the question about node.js

Programming_Padawan

Where I am ever seeking to educate myself, as a good Padawan should, I just have to ask the question.

It is my understanding that Node.js is a version of JavaScript for doing server-side programming. Where I have not found any information to indicate it can be used in your browser code (believe me I've looked), I have to assume that Node.js is to be used for server-side coding ONLY.

On www.npmjs.com there is a bCrypt package for hashing passwords. If Node.js is server-side only how is the password getting to server for hashing? OR is there a way to hash a password at the browser/client with a Node.js package?

It would be fantastic to get some clarification on when and where I can use Node.js.

On my current project I have used pure, or what some would call vanilla, JavaScript, and have steered completely clear of any framework, so I can get a solid foundation in programming with JavaScript.

Thanks a 'heap'
Walt

sibert

Programming_Padawan If Node.js is server-side only how is the password getting to server for hashing? OR is there a way to hash a password at the browser/client with a Node.js package?

I have no experience with Node, but generally there is some ways to communicate between server and client.

From client to server: normal endpoints, javascript fetch() and read/write cookies.
From server to client: write to header (pages etc), read and write cookies.

And sometimes you may let the database do some stuff (hashing, notifying etc)

I am just in the beginning of the same journey, but I pretty sure that everything that smells security should be done by the backend (Node or Database). Maybe @NogDog can jump in and confirm (or not) my thoughts :-)

NogDog

Programming_Padawan I have to assume that Node.js is to be used for server-side coding ONLY

Yes, you'd use it on your web server in the same way you might use PHP, Python, C#, Ruby, whatever. It has no inherent advantage/disadvantage over those other options (well, I'm sure people have preferences), other than if you know JavaScript in general, then you essentially know the language whether writing for the client or server side.

Programming_Padawan is there a way to hash a password at the browser/client with a Node.js package

Well, my initial answer is: why would you want to? (I.e., I would not want the method I'm using to hash passwords to be visible in the JavaScript code in the browser, nor provide evidence of a (Node.js) server-side endpoint I'm using to do it). But putting that aside for the moment, you could access anything on the server side (whether Node.js or other language) via AJAX-type calls in your JavaScript to server-side API endpoints.

Programming_Padawan

I was under the impression that the purposing of hashing passwords is to hide what the password is in case it gets intercepted between the client and server. Then after it is stored in the DB the hashing protects against someone who might invade the server looking for passwords to rainbow table. What appears to be happening is passwords are being sent in cleat-text across the Internet to the server and then hashed and stored (DB).

tracknut

Programming_Padawan What appears to be happening is passwords are being sent in cleat-text across the Internet to the server and then hashed and stored (DB).

If you're sending passwords or other information that requires privacy, the site should use https: so that all communications is encrypted. That's what allows you to do that hashing just on the server.

Layla043

Node.js is an open-source, cross-platform JavaScript runtime environment and library to run web applications outside the client's browser. It is used to create server-side web applications.