I usually hash on server side. But, I’ve been reading about how some people suggest hashing on client-side because it protects against programmer errors.
Some suggest both. Got me wondering how others here do it.
Nearly everyone does it server-side, except if you’re building an end-to-end encrypted app in which case the decryption process happens client-side and therefore the hash is generated client-side.
Doing the hashes client-side because “it protects against programmer errors” is a new one What stops someone from making mistakes client-side?
For me I do a hash client-side and remove the plain text password from the form on submit. The reason is just a basic precaution (and certainly not foolproof) against someone having a detached dev inspector open in the background and easily viewing the form payloads if they’ve allowed someone to use their computer. The main hash (argon) is done server-side still
Nothing against client-side hashes Sorry if I looked blunt on my initial answer
I was a big proponent of end-to-end encryption and therefore client-side hashing. With time I realized no one really cared and I just went with the most common approach (server-side hashing)
Does Wappler provides a way to perform client-side hashing? If not, one could do a custom formatter to do such hashing
I didn’t find it too blunt. I like straightforward comments anyway.
As far as I know there isn’t a straight way to do it. But, you could create a var that the password field updates and then you hash that var. Just a guess.
There’s no client-side crypto formatters at the moment. I did submit a FR a LONG time ago:
It is easy, though, to use a javascript function on submit (I use the crypto-js library - you need to include it on the page). I prefer not to use a formatter as I want the function to not only create the hash but also clear the plain-text version.
function pwhashsend() {
var cp = document.getElementById('plain_pw'); // plain password input
var np = document.getElementById('enc_pw'); // hidden password input (encrypted) to be used
var p = cp.value;
var hp = CryptoJS.SHA512(p);
hp.toString(CryptoJS.enc.Hex);
cp.value = '';
np.value = hp;
return true;
}