auth API for encrypt37.com
Your password is never saved in DB, even the hashed version
For normal websites, when you signup, you need to send your email and plaintext password to backend, then backend hashes the password and save it to DB.
Instead of doing that, I use openpgpjs to signup like this:
- Generate a public and private keypair;
- Encrypt the private key with your password;
- Send your username, public key, encrypted private key to server;
Your password never leaves your device.
When you signin:
- Your device makes a request with your username to get the public key, encrypted private key, and a random challenge encrypted with your public key on server;
- Your device decrypts the encrypted private key;
- Use the decrypted private key to decrypt the challenge;
- Send the decrypted challenge to server;
- Server checks is the challenge is solved, if yes, it will return an access token and a refresh token back to your device;
Btw, the endpoints are built with claudiajs