Node.js - encrypt hard coded password with CSPRNG - javascript

I am using Node.js and Express.js to expose some APIs. Some passwords needs to be stored in a config file (json) which would then be used to connect to some other servers. Examples,
module.exports = {
connection: {
server: "abc"
user: "user1",
password: "p123"
}
};
For security reasons, these passwords need to be encrypted (and subsequently decrypted by the service deployed in Express.js to connect to another server).
I looked at some Node.js encryption packages and found several npm packages like crypto-js, cryptr, simple-encryptor etc.
Now, the IT team has shared some security requirements which go as -
'Ensure that CSPRNG and not PRNG is used for JavaScript cryptography'
When I looked at these packages, I could not find whether they use CSPRNG or PRNG. Can someone please help me understand what exactly is the difference and which encryption/decryption package uses CSPRNG instead of PRNG?

I believe your IT team is asking you to generate salts for when you encrypt the passwords. Bcrypt is probably the best crypto library. I dont think it will make a difference if you use PRNG or CSPRNG for generating the hash. See this post. https://crypto.stackexchange.com/questions/35576/do-i-need-to-use-a-csprng-when-creating-salts-for-user-accounts

Related

registering socket IO to vite for sveltekit

I have written a few apps using svelte and sapper and thought I would give sveltekit a go.
All in all it works, but I am now running into the issue of registering a worker on ther server.
Basically I am trying to add socket.io to my app because I want to be able to send and receive data from the server. With sapper this wasn't really an issue because you had the server.js file where you could connect socket.io to the polka/express server. But I cannot find any equivalent in sveltekit and vite.
I experimented a bit and I can create a new socket.io server in a route, but that will lead to a bunch of new problems, such as it being on a separate port and causing cors issues.
So I am wondering is this possible with sveltekit and how do you get access to the underlying server?
The #sveltejs/adapter-node also builds express/polka compatible middleware which is exposed as build/middelwares.js which you can import into a custom /server.cjs:
const {
assetsMiddleware,
prerenderedMiddleware,
kitMiddleware,
} = require("./build/middlewares.js");
...
app.use(assetsMiddleware, prerenderedMiddleware, kitMiddleware);
The node adaptor also has an entryPoint option, which allows bundling the custom server into the build, but I ran into issues using this approach.
Adapters are not used during development (aka npx svelte-kit dev).
But using the svelte.config.js you're able to inject socket.io into the vite server:
...
kit: {
...
vite: {
plugins: [
{
name: "sveltekit-socket-io",
configureServer(server) {
const io = new Server(server.httpServer);
...
},
},
],
},
},
Note: the dev server needs to be restarted to apply changes in the server code.
You could use entr to automate that.
You cannot connect to a polka/express server because depending on the adapter you choose there can be no polka/express server used - if you deploy to a serverless platform for example. Sockets for serverless are not so easy to implement and their implementation depend on the provider.
You are raising an important concern but right now I'm afraid this is not possible - someone corrects me if I'm wrong.
What you still can do is to write your front with SvelteKit, build it as a static/SPA/node application and then use your build from your own polka/express server. You lose the swift development experience offered by SvelteKit though, since your development will be parted in two: first the client, then the server.
EDIT
You can also use a data-pusher third service. They are straightforward to use but not necessarily free. Here is a list of data-pusher services from the Vercel page:
Ably
Pusher
PubNub
Firebase Realtime Database
TalkJS
SendBird
Supabase

How to Send Money Dogecoin With NodeJS?

I'm learning to make a simple Dogecoin wallet terminal for personal use. I managed to generate a private key and public address (using coinkey). And success check balance Dogecoin (using API Dogechain).
But, I'm still confused about sending Dogecoin from the private key that I generated. Is there a NodeJS module that can be used to send Dogecoin from a private key? Or maybe anyone has an example?
You'll need a running instance of dogecoind to connect with. If you're running Debian/Ubuntu, this worked for me: http://www.dogeco.in/wiki/index.php/Dogecoind
Then, install the node-dogecoin NPM package. (https://github.com/countable/node-dogecoin)
npm install node-dogecoin
var dogecoin = require('node-dogecoin')()
dogecoin
.auth('MyUserName', 'mypassword')
.getNewAddress()
.getBalance()
You could use node - dogecoin. is a simple wrapper for dogecoin wallet (and i think that is compatible with all Litecoin-compatible wallet, but not tested yet).
In this way you can generate private key, check balance, send coins and so on within a unique nodejs module

Google Assistant Input to Python Output

the question is pretty straight forward. I would like to control a drone (Bitcraze Crazyflie), using a Google Home. The Input is: "Drone fly to x3 y4", processed as usual by Firebase etc. Resulting in the Google Assistant Output: "Flying to x3 y4", but also an Ouput in e.g. JSON format, to navigate the drone. Because the drone works with Python, this is the preferable Output language.
EDIT Added more Context
Currently I'm using an node server running this code:
'use strict';
// Import the Dialogflow module from the Actions on Google client library.
const {dialogflow} = require('actions-on-google');
// Import the firebase-functions package for deployment.
const functions = require('firebase-functions');
// Instantiate the Dialogflow client.
const app = dialogflow({debug: true});
// Handle the Dialogflow intent named 'fly'.
// The intent collects parameters named 'xaxis, yaxis'.
app.intent('fly', (conv, {xaxis,yaxis}) => {
const xAxis = xaxis;
const yAxis = yaxis;
// Respond with the user's coordinates and end the conversation.
conv.close('Roger that, flying to ' + xAxis + ", " + yAxis);
});
// Set the DialogflowApp object to handle the HTTPS POST request.
exports.dialogflowFirebaseFulfillment = functions.https.onRequest(app);
Now I would like to get the const xAxis and yAxis and use them in a Python program. I've tried using
process.stdout.write(xAxis + yAxis);
Listening in Python with something like
out = sensor.stdout.read(1)
but the code will be run on the Google Server, so local port listening does not work.
Thanks for your help.
The best approach is having another machine on GCP rather than communicate with your home PC. You'll learn more and have an easier time, in the long run, building solutions. As I'm more familiar with AWS rather than GCP, I can't cite the network/security components you need to configure but the docs say you don't have to. So, in theory, it should be just about spinning up another compute machine with your Python code running on it.
Were you to decide on speaking to your home PC, you'll need to forward ports on your router. It is, currently, acting as a firewall for your LAN devices and doesn't permit outside machines initiating connections to your internal addresses. e.g. your GCP machine initiating a connection to your home PC. The other way around is permitted, by default. If you think about it, your router has one WAN IP address but your LAN can have multiple devices (multiple LAN IPs). If your GCP machine connects to your router WAN IP at port 8080, to which LAN IP should it connect? You have to help your router and explicitly tell it.
Once you have a networking solution in place, you can debug the connectivity itself (server can talk to client) by using netcat (nc/ncat, depending on Linux distro). Netcat is a versatile networking tool with which you can purely open connections (before you add in your program to the debugging stack) and assure the networking part of your solution is working as intended.
nc -v <destination_ip> <port>
Simple.
This should get you to where you want to be. A working connection between your GCP drone controller and the Python processor machine.
Bonus - If you want a quick way to have your machine (PC or otherwise) listen on a port, you can use Python's built-in HTTP file server module with
python -m http.server 8080
This will serve files from the directory you ran this command. So, keep that in mind if you're open to the world.
Or, a simple "echo server", using netcat.
nc -v -l 8080
Lastly, for a solid Python HTTP API framework, I highly recommend FastAPI. It allows quickly writing a HTTP API server with, for example, a POST method that your GCP drone controller can call. It has the great bonus of generating both interactive OpenAPI docs, example, for your code and, using 3rd party tools from Swagger (that you can see in the example linked), generate server/client/testing "boiler plate" code. Did I also mention their docs are great?

mongo shell JavaScript equivalent to --sslCAFile

I'm using JavaScript to connect to multiple databases at once from the mongo shell. However, one of my databases is on Digital Ocean instead of AWS so I have an SSL certificate on my EC2 server.
In general, I use something similar to this to connect and use multiple servers on one file:
var iptDb = connect("###.###.###.###:27017/dbname);
iptDb.auth("username", cat("pw"));
In order to connect to my Digital Ocean database, I know that I need to add ?ssl=true, like below, but I don't know where I put the certificate information.
var iptDb = connect("###.###.###.###:27017/dbname?ssl=true");
iptDb.auth("username", cat("pw"));
mongo uses --sslCAFile in the shell to give the certificate path.
What would be the equivalent if I want to write it in my JavaScript
file?
More information on --sslCAFile at MongoDB Configure SSL
The mongo shell isn't intended to be a full driver replacement; some options (like --sslCAFile) can only be provided as command line parameters. As at MongoDB 3.2 there are other limitations of mongo shell scripts such as few I/O options (no input methods and limited output methods).
If your requirements are relatively straightforward and you don't want to install a driver, you could perhaps write a shell script (bash/zsh/...) to run multiple invocations of mongod with the expected connection parameters.
For any significant scripting I would recommend using one of the officially supported drivers which will include full support for SSL options. For example, see the Node.js driver SSL connection tutorial.

Installing/setting up Socket.IO on my server

Ok so I have read through the Socket.IO docs and I am still a little unsure of a couple of points:
The documentation says...
To run the demo, execute the following:
git clone git://github.com/LearnBoost/Socket.IO-node.git socket.io
cd socket.io/example/
sudo node server.js
Now I don't know what this means at all! I think it may be command line interface. I of course have access to this on my localhost, but my online hosting package is a shared LAMP setup. Meaning I don't have access to the root command line (i think).
How do I actually setup socket.IO, is it impossible on my shared server package?
Appreciate any help...
W.
If you aren't familiar with node.js or with basic command line usage then I would suggest that you use a hosted WebSockets solution like pusherapp. Trying to learn WebSockets, and Node.js, and the Linux command line all at once is going to lead to a lot of frustration. Take a look a pusherapp's quick start guide, it's very easy to get started. You can have 5 simultaneous connections with a single application for free (I'm not affiliated with pusherapp).
Updated (with inline answers to questions):
If you are going to go the direction of running a Socket.IO application:
You don't technically need git since you can download node.js and Socket.IO from their respective download links on github.
You don't actually need a LAMP server to use Socket.IO. By default Socket.IO functions as a simple webserver in addition to a WebSockets server. If you want server side scripting then you might want Apache with mod_php, mod_python, etc.
You don't technically need a dedicated server or even root access. You do need a system where you can have long running process. And if you want the service to start automatically when the system is rebooted, you probably want to add a startup file to /etc/init.d, /etc/rc.d which will require root access. Both node.js and Socket.IO can be installed and run from a normal home directory. If you want to run Socket.IO on a standard port like 80 or 443 then you will need to run it with root privilege.
Node.JS scales quite well so Socket.IO will probably scale pretty well too.
It's not a simple matter to get everything setup and working, but if your goal is a free solution for web serving+WebSockets then Socket.IO is probably is good route to at least explore if you are brave.
First you'll have to determine if your host supports SSH. Sometimes they don't by default on shared hosting, but if you ask they can turn it on. If it does you'll use some sort of SSH client to connect to it. Putty for windows is the most common. Then you'll use git, which is a source control program. Which you'll probably have to install on your host, which may or may not be allowed. If you can, this can be accomplished a number of ways, you'll want to read the git documentation, it will depend largely on what linux distribution you're running. CD is change directory, basic command line stuff. sudo on the last line is telling the system to run the command as root, which it will ask you the password for, which you may not have access to on your host. Sounds like you're gonna have an uphill battle on shared hosting. You may want to opt for a VPS instead.
If your shared host is a LAMP system with no command line access you're not going to get very far with Socket.IO. The instructions you posted assume you have command line access and that you've installed the node.js runtime on your system.
If you really want to try this I recommend you get a VPS of your own (I use prgmr.com) to test it out. For what it's worth I found the Socket.IO platform pretty nice to use once I got it up and running.

Categories