Laravel 5.0
I want to encrypt some data in the database using not only the application key but also the users password or any other string that HE will provide.
The reason is that i want only him to be able to decrypt the data.
How would i go about it?
-Use Javascript and encrypt the password locally and then send it to the server?
or
-Send the text that user enters directly to the server?
All traffic will be upon HTTPS
// Encrypt
$key = md5(Config::get('app.key') . $userString);
Crypt::setKey($key);
$encypted = Crypt::encrypt($input);
// decrypt
$key = md5(Config::get('app.key') . $userString);
Crypt::setKey($key);
$decypted = Crypt::decrypt($encypted);
Related
I followed this tutorial to create dynamic email settings stored on db.
https://kayike.medium.com/enable-unique-and-dynamic-smtp-mail-settings-for-each-user-laravel-48e320d381ec
The only problem is that the password is not encrypted. I would like to encrypt it before storing on db and decrypt it before using on MailServiceProvider.
I tried to use bcrypt but it can't be de-crypted. Any suggestions?
Thanks
see the docs for encryption: https://laravel.com/docs/8.x/encryption
encrypting password:
$encrypted = crypt::encryptString($password);
//store this to database
decrypting password:
$decrypted_password = crypt::decryptString($encrypted);
//use this for mailer settings
Note: don't forget to use namespace Illuminate\Support\Facades\Crypt;
in the controller
Additional Note for bcrypt:
encryption-decryption is different than hashing, bcrypt is a hashing formula which can't be decrypted (one way process).
I am attempting to abstract the authorization/authentication from my upstream services into Kong API gateway. Previously, I was using express + passport to handle sessions. Whenever a user logs in with their credentials a session would be created with their user info attached to the req object (req.user).
Currently, I am using API keys + session + serverless functions to compare user passwords (using bycrypt lua library) from a file mapped into the Kong container. The client would send an initial login (with username and password) request with an API key to log in, the serverless function would compare the password hashes, if all that passes, the session would get created.
However, my question is, is there a way to store the user info into the session database, so my upstream service can ask for that information to ensure that the session attached to the user logged in is valid at any given time?
Any ideas even if not related to Kong would be appreciated!
When creating a new session on Kong, you can explicitly provide the unique Key used to identify a session (by default created by KONG itself).
When The password checks pass and you are generating a session on Kong you can create your own unique key and use that key while creating the session.
Kong_admin = 'http://localhost:8001'
kong_session = {'key': 'any-unique-combination'}
#any unique combination which you would like to use for identifying the session
user = 'test-user#dummy.com'
#create a session for this dummy user using your key
response = requests.post('%s/consumers/%s/jwt' % (Kong_admin, user),data=kong_session)
#Once the session is created you can find it using
resp = requests.get('%s/consumers/%s/jwt/any-unique-combination' % (Kong_admin, user))
# you can use this key in your token payload so your upstream service can decrypt the
# payload and get this key and you can store this key in your database mapped with
# user during session creation.
# with this you ll be able to decrypt any session payload , get a key and then query
# it on database at any point of time
I am trying to encrypt a file and then upload it to my Laravel server, decrypt it there and store on the disk. On client-side I'm using AesManaged (.NET 5) to encrypt my file. The file is then uploaded to the server through its REST API and RestSharp.
On the server, I'm using built-in Crypt::decrypt(), which according to Laravel documentation should support AES. I'm using APP_KEY from my .env file to generate encryption key on client-side.
For some reason, Laravel fails to decrypt the uploaded file and throws exception saying:
The payload is invalid.
Has anyone handled this before? What am I missing?
If you are using cross language encryption decryption then laravel inbuilt Encrypter class will fail to decrypt due to mismatch in encryption keys. I will not recommend you to use laravel key in another platform.
For user level encryption make a column in your users table in database and try to store different encryption keys for each user.
To decrypt you can phpseclib.
protected function AESDecrypt($data)
{
$aes = new \phpseclib\Crypt\AES(1);
/**
MODE_ECB = 1;
MODE_CBC = 2;
MODE_CFB = 3;
**/
$aes->setKeyLength(128); // Valid key lengths are 128, 192, and 256
$aes->setKey($this->KEY); // replace key
$aes->disablePadding();
$decryptedData = $aes->decrypt(base64_decode($data));
return $decryptedData;
}
I am new to JMeter. My password is encrypted in Client side using jQuery.jcryption library. I get my secret key from server side and in client side using the key used to encrypt username and password. Then encrypted User Name and password is decrypted on server side based on same key.
My questions are:
How do i encrypt my data in JMeter at each thread run using jQuery.jcryption.js?
Is there any way to run jQuery files in JMeter?
I am stuck and not able to resolve this.
$.jCryption.getKeys("../account/getPublicKey.srvc?generateKeypair=true",
function(receivedKeys) {
var user = $("#userNameId").val();
var password = $("#passwordId").val();
$.jCryption.encrypt(user, receivedKeys, function(encrypted) {
$.jCryption.encrypt(password, receivedKeys, function(encryptedPasswd) {
$("#userNameHiddenId").val(encrypted);
$("#passwordHiddenId").val(encryptedPasswd);
validateAndSubmitLogin('form#loginForm');
});
});
});
consider this scenario :
User receives a reset password link by email.
He clicks the 'reset password' link in his email and he will be redirected to password reset page that only he has access to due to the token in the URL . As you all know this token is stored in password_resets table with the email of the user .
I want to make the access to this page concerns only the user that clicked to the link in his email , so i have to compare the token in the URL with the token stored in 'password_resets' table ,and as Laravel uses a Hasher to encrypt the token before storing it and can't compare the two tokens .
Do you have any ideas how to fix this ?
simply get the token from the url and hash it then compared the hashed token with the token in the database. This is how passwords are checked the hashed passwords in the database are not reversible you compare the hashes not the plain text password
There is a Hash function built into Laravel, not sure what system your token generator is using but chances are it is using the Hash function in Laravel