I am coding up the security for a website in express.js and postgresql db. Now I have been reading about salting and hashing and I have the code set up with pdkdf2 using the crypto module, but my issue is how I will structure the account table in the db. What If i would create a login role which will have an MD5 encrypted format for the password, which password will be the derived key from the salt n hash "procedure". Would that be an overkill of protection?
There will be a table which will be as follows: UID (the ID from the login role), SALT , HASH. And also the loginrole.
So on a try for authentication, the code will try to login as that role, first by getting the assosiated UID, generating the salt n hashed password for the password provided and auth on a DB level.
Hope I am making some sense..
var usrSalt = crypto.randomBytes('128').toString('base64');
//text , salt ,iterations , keylen , callback
crypto.pbkdf2(usr, usrSalt, 10000, 512, function (err, derivedKey) {
if (err) { console.log(err); }
else {
usr = derivedKey;
next();
}
});
P.S Would a pgcrypto module be better again in the same scenario, just by removing the code on node.js.
Salting and hashing passwords is not overkill, it is the absolute minimum you should do if you cannot avoid dealing with passwords entirely.
It's hard to figure out what you mean with the second part, regarding this being used to auth on a DB level. You usually either do application level authentication using your own usernames/passwords, or you create real users in PostgreSQL and let PostgreSQL authenticate them by simply passing their password and username through to PostgreSQL when you create a connection.
There's an intermediate way, which you might be trying to get at. Authenticate the user yourself, then use
SET SESSION AUTHORIZATIONto have your PostgreSQL database session "become" that user. It's a bit of a specialized approach, and not one I tend to use most of the time. It is mostly used by connection poolers.See also: