Weak credential policy - Temporary passwords - TypeScript

Weak credential policy - Temporary passwords - TypeScript

Need

Strengthening temporary password security policies

Context

  • Usage of TypeScript for type-checking and enhanced JavaScript development
  • Usage of Express for building web applications and APIs

Description

Non compliant code

        import express from 'express';

const app = express();

app.post('/login', (req, res) => {
  const { username, password } = req.body;

  // Generate temporary password
  const temporaryPassword = generateTemporaryPassword();

  // Store temporary password in the database
  saveTemporaryPassword(username, temporaryPassword);

  // Send temporary password to the user
  sendTemporaryPassword(username, temporaryPassword);

  res.send('Temporary password has been sent to your email.');
});

function generateTemporaryPassword() {
  // Generate a weak temporary password
  return 'weak123';
}

function saveTemporaryPassword(username: string, temporaryPassword: string) {
  // Save the temporary password in the database
  // This code does not implement any security measures for storing passwords
}

function sendTemporaryPassword(username: string, temporaryPassword: string) {
  // Send the temporary password to the user's email
  // This code does not implement any secure email sending mechanism
}

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The vulnerability in this code is related to weak credential policy for temporary passwords. The code generates a temporary password using the generateTemporaryPassword function, which currently returns a weak password "weak123". This weak password does not meet the recommended best practices for strong passwords, such as having a combination of uppercase and lowercase letters, numbers, and special characters.

Furthermore, the code does not implement any security measures for storing the temporary password in the database. The saveTemporaryPassword function does not hash or encrypt the password before saving it, leaving it vulnerable to unauthorized access if the database is compromised.

Additionally, the code does not implement any secure email sending mechanism in the sendTemporaryPassword function. This means that the temporary password could be intercepted or accessed by unauthorized individuals during the email transmission process.

These vulnerabilities can allow an attacker to compromise the temporary passwords and gain unauthorized access to the application, potentially leading to unauthorized actions or data breaches.

Steps

  • Implement a strong password generation function for generating temporary passwords.
  • Implement secure password storage mechanism to store temporary passwords in the database.
  • Implement a secure email sending mechanism to send temporary passwords to users.

Compliant code

        import express from 'express';
import bcrypt from 'bcrypt';
import nodemailer from 'nodemailer';

const app = express();

app.use(express.json());

app.post('/login', async (req, res) => {
  const { username, password } = req.body;

  // Generate temporary password
  const temporaryPassword = generateTemporaryPassword();

  // Store temporary password in the database
  await saveTemporaryPassword(username, temporaryPassword);

  // Send temporary password to the user
  await sendTemporaryPassword(username, temporaryPassword);

  res.send('Temporary password has been sent to your email.');
});

function generateTemporaryPassword() {
  const temporaryPasswordLength = 10;
  const temporaryPassword = Math.random().toString(36).slice(-temporaryPasswordLength);
  return temporaryPassword;
}

async function saveTemporaryPassword(username: string, temporaryPassword: string) {
  const saltRounds = 10;
  const hashedPassword = await bcrypt.hash(temporaryPassword, saltRounds);
  // Save the hashed temporary password in the database
  // Implement your code here to store the hashed password
}

async function sendTemporaryPassword(username: string, temporaryPassword: string) {
  const transporter = nodemailer.createTransport({
    service: 'your-email-service',
    auth: {
      user: 'your-email-username',
      pass: 'your-email-password',
    },
  });

  const mailOptions = {
    from: 'your-email-username',
    to: username,
    subject: 'Temporary Password',
    text: `Your temporary password is: ${temporaryPassword}`,
  };

  // Send the email with the temporary password
  // Implement your code here to send the email
}

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The fixed code addresses the vulnerability by implementing secure temporary passwords using recommended best practices. Here's an explanation of the changes made:

1. The code imports the necessary modules: express for creating the server, bcrypt for hashing passwords securely, and nodemailer for sending emails.

2. The /login route is defined as a POST request handler. It expects the username and password to be provided in the request body.

3. The generateTemporaryPassword function generates a temporary password of length 10 using a random alphanumeric string.

4. The saveTemporaryPassword function takes the username and temporaryPassword as parameters. It uses the bcrypt library to hash the temporary password with a salt of 10 rounds before storing it in the database. The use of bcrypt ensures that the password is securely hashed and not easily reversible.

5. The sendTemporaryPassword function takes the username and temporaryPassword as parameters. It uses the nodemailer library to create a transporter object with the email service credentials. It then defines the email options, including the sender, recipient, subject, and body of the email. The temporary password is included in the email body.

6. The /login route handler calls the generateTemporaryPassword function to generate a temporary password. It then calls the saveTemporaryPassword function to securely hash and store the temporary password in the database. Finally, it calls the sendTemporaryPassword function to send the temporary password to the user's email.

7. The server listens on port 3000 and logs a message when it starts running.

By implementing these changes, the code ensures that temporary passwords are securely generated, hashed, and stored in the database. Additionally, the temporary password is sent to the user's email using a secure email service.

References