Stop Transmitting Passwords in Plaintext

· / ·

reads

AI TranslationSimplified ChineseEnglish

AI-generated summary

AI · GEN

Introduction

Recently, I wrote some frontend and backend projects using Next.js, and used better-auth for user authentication.

However, in practice, I found that when AI writes related code directly, it easily transmits passwords in plaintext. Although production environments normally use HTTPS with TLS encryption at the transport layer, this doesn't mean you can casually put plaintext passwords in the request body. HTTPS only guarantees transmission security between the browser and the TLS termination point (such as nginx). Passwords still appear in plaintext in reverse proxies, gateways, logs, databases, etc. This means anyone who can obtain these access permissions can successfully log into everyone's accounts. Personal projects can completely ignore password encryption, but this is obviously not acceptable for a product.

Therefore, this blog post explains how to perform RSA asymmetric encryption on passwords at the application layer when using better-auth. Perhaps providing this as training data to AI can help implement similar features in other projects, but please follow the MIT license for attribution, see the end of the article for details.

Overall Process

User enters password in browser.
Frontend reads NEXT_PUBLIC_RSA_PUBLIC_KEY.
Encrypt password using RSA-OAEP.
The encrypted package includes timestamp, random salt, request ID, and HMAC signature.
Frontend passes the encrypted string to better-auth.
Server decrypts in better-auth's password.hash / password.verify.
Only bcrypt hash is stored in the database.

Throughout the entire process, plaintext passwords only appear when the user enters the password.

Client-side Encryption

CodeBlock Loading...

Here, instead of only encrypting the password itself, several fields are put together into the RSA ciphertext:

TEXT

password|timestamp|salt|requestId

Where:

password is the original password entered by the user.
timestamp is used to determine if the request has expired.
salt makes the same password generate different ciphertext each time.
requestId is used to prevent replay attacks.

On the login page, rsaEncrypt is called first before submitting to better-auth.

CodeBlock Loading...

The same applies for registration:

CodeBlock Loading...

This way, when packet capturing, the password field seen is no longer the original password, but an RSA-encrypted data packet.

Server-side Decryption

First, decrypt with the private key:

CodeBlock Loading...

Then perform unified validation:

CodeBlock Loading...

Here are the main things done:

Check encrypted package format.
Check if timestamp has expired.
Check if requestId has already been used.
Decrypt with RSA private key.
Check if outer timestamp matches inner timestamp.
Check if outer request ID matches inner request ID.
Validate HMAC signature.
Return the bcrypt hash of the password.

Deduplication of requestId uses Redis:

CodeBlock Loading...

This means only the first request can be written successfully, and subsequent reuse of the same requestId will be rejected, preventing replay attacks.

The command to generate the public-private key pair is as follows:

CodeBlock Loading...

Of course, using ssh-keygen directly is also feasible, and you must ensure the security of the private key.

Integrating with better-auth

better-auth handles email-password login by default, but here we need to customize the password processing logic to implement encryption and hashing.

CodeBlock Loading...

Here's a detail: better-auth's minPasswordLength is set to 1, and maxPasswordLength is set to 4096. The reason is that what's passed to better-auth is no longer the original password, but an RSA-encrypted data packet. If we continue to use the default length restrictions, it can easily be intercepted at the better-auth layer. If you need to limit password length, it can only be done in the client-side rsaEncrypt.

Of course, better-auth by default only needs to verify passwords in login and registration scenarios. For places like changing passwords or deleting accounts, just reuse rsaEncrypt and rsaDecryptAndValidate.

Other Security Configurations for better-auth

Besides password encryption, you can also configure some security items when initializing betterAuth:

CodeBlock Loading...

The meanings are roughly as follows:

Don't disable CSRF check.
Use Secure Cookie in production environment.
Set Cookie to httpOnly.
Set Cookie to sameSite: "lax".

And rate limiting for login, registration, and password recovery:

CodeBlock Loading...

This can reduce issues like credential stuffing, registration spamming, and email spamming.

Introduction

Recently, I wrote some frontend and backend projects using Next.js, and used better-auth for user authentication.

Overall Process

User enters password in browser.
Frontend reads NEXT_PUBLIC_RSA_PUBLIC_KEY.
Encrypt password using RSA-OAEP.
The encrypted package includes timestamp, random salt, request ID, and HMAC signature.
Frontend passes the encrypted string to better-auth.
Server decrypts in better-auth's password.hash / password.verify.
Only bcrypt hash is stored in the database.

Throughout the entire process, plaintext passwords only appear when the user enters the password.

Client-side Encryption

export async function rsaEncrypt(password: string, publicKey: string): Promise<string> {
  const timestamp = Date.now().toString();
  const salt = generateSalt(16);
  const requestId = generateRequestId();
  const dataToEncrypt = `${password}|${timestamp}|${salt}|${requestId}`;
  const publicKeyObj = forge.pki.publicKeyFromPem(
    `-----BEGIN PUBLIC KEY-----\n${publicKey}\n-----END PUBLIC KEY-----`,
  );
  const encrypted = publicKeyObj.encrypt(dataToEncrypt, "RSA-OAEP", {
    md: forge.md.sha256.create(),
    mgf1: {
      md: forge.md.sha256.create(),
    },
  });
  const encryptedData = forge.util.encode64(encrypted);
  const hmacKey = forge.md.sha256.create()
    .update(timestamp + salt)
    .digest()
    .toHex();
  const signature = computeHMAC(encryptedData, hmacKey);
  return `${encryptedData}$${signature}$${timestamp}$${requestId}`;
}

CodeBlock Loading...

Here, instead of only encrypting the password itself, several fields are put together into the RSA ciphertext:

TEXT

password|timestamp|salt|requestId

Where:

password is the original password entered by the user.
timestamp is used to determine if the request has expired.
salt makes the same password generate different ciphertext each time.
requestId is used to prevent replay attacks.

On the login page, rsaEncrypt is called first before submitting to better-auth.

await authClient.signIn.email({
  email: formData.email,
  password: await rsaEncrypt(formData.password, publicKey),
  rememberMe,
  callbackURL: callbackUrl,
});

CodeBlock Loading...

The same applies for registration:

await authClient.signUp.email({
  email: formData.email,
  password: await rsaEncrypt(formData.password, publicKey),
  name: formData.name,
  organization: formData.organization,
  callbackURL: "/sign-up",
});

CodeBlock Loading...

This way, when packet capturing, the password field seen is no longer the original password, but an RSA-encrypted data packet.

Server-side Decryption

First, decrypt with the private key:

const rsaDecrypt = (encryptedData: string): string => {
  const encryptedBytes = forge.util.decode64(encryptedData);
  const privateKey = forge.pki.privateKeyFromPem(privateKeyText);
  const decryptedBytes = privateKey.decrypt(encryptedBytes, "RSA-OAEP", {
    md: forge.md.sha256.create(),
    mgf1: {
      md: forge.md.sha256.create(),
    },
  });
  return decryptedBytes;
};

CodeBlock Loading...

Then perform unified validation:

export const rsaDecryptAndValidate = async (encryptedPackage: string): Promise<string> => {
  const parts = encryptedPackage.split("$");
  if (parts.length !== 4) {
    throw new Error("Invalid packet format");
  }
  const [encryptedData, signature, timestampStr, requestId] = parts;
  if (!validateTimestamp(timestampStr)) {
    throw new Error("Request expired, please try again");
  }
  const isNew = await validateRequestId(requestId);
  if (!isNew) {
    throw new Error("Invalid request, please try again");
  }
  const decryptedData = rsaDecrypt(encryptedData);
  const dataParts = decryptedData.split("|");
  if (dataParts.length !== 4) {
    throw new Error("Invalid data format");
  }
  const [actualPassword, innerTimestamp, salt, innerRequestId] = dataParts;
  if (innerTimestamp !== timestampStr) {
    throw new Error("Data integrity verification failed");
  }
  if (innerRequestId !== requestId) {
    throw new Error("Data integrity verification failed");
  }
  const hmacKey = forge.md.sha256.create()
    .update(timestampStr + salt)
    .digest()
    .toHex();
  const expectedSignature = computeHMAC(encryptedData, hmacKey);
  if (signature !== expectedSignature) {
    throw new Error("Data integrity verification failed");
  }
  if (!actualPassword) {
    throw new Error("Password cannot be empty");
  }
  return actualPassword;
};

CodeBlock Loading...

Here are the main things done:

Check encrypted package format.
Check if timestamp has expired.
Check if requestId has already been used.
Decrypt with RSA private key.
Check if outer timestamp matches inner timestamp.
Check if outer request ID matches inner request ID.
Validate HMAC signature.
Return the bcrypt hash of the password.

Deduplication of requestId uses Redis:

const result = await redisClient.set(key, "1", {
  NX: true,
  EX: REQUEST_ID_TTL,
});

CodeBlock Loading...

This means only the first request can be written successfully, and subsequent reuse of the same requestId will be rejected, preventing replay attacks.

The command to generate the public-private key pair is as follows:

BASH

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private_key.pem
openssl rsa -in private_key.pem -pubout -out public_key.pem

CodeBlock Loading...

Of course, using ssh-keygen directly is also feasible, and you must ensure the security of the private key.

Integrating with better-auth

better-auth handles email-password login by default, but here we need to customize the password processing logic to implement encryption and hashing.

export const auth = betterAuth({
  emailAndPassword: {
    enabled: true,
    minPasswordLength: 1,
    maxPasswordLength: 4096,
    requireEmailVerification: true,
    password: {
      hash: async (password) => {
        const decryptedPassword = await rsaDecryptAndValidate(password);
        return bcrypt.hash(decryptedPassword, 10);
      },
      verify: async ({ hash, password }) => {
        const decryptedPassword = await rsaDecryptAndValidate(password);
        return bcrypt.compare(decryptedPassword, hash);
      },
    },
  },
});

CodeBlock Loading...

Other Security Configurations for better-auth

Besides password encryption, you can also configure some security items when initializing betterAuth:

advanced: {
  disableCSRFCheck: false,
  useSecureCookies: isProduction,
  defaultCookieAttributes: {
    sameSite: "lax",
    httpOnly: true,
    secure: isProduction,
    path: "/",
  },
}

CodeBlock Loading...

The meanings are roughly as follows:

Don't disable CSRF check.
Use Secure Cookie in production environment.
Set Cookie to httpOnly.
Set Cookie to sameSite: "lax".

And rate limiting for login, registration, and password recovery:

rateLimit: {
  enabled: isProduction,
  customRules: {
    "/sign-up/email": {
      window: 60,
      max: 1,
    },
    "/request-password-reset": {
      window: 60,
      max: 1,
    },
    "/sign-in/email": {
      window: 30,
      max: 5,
    },
  },
}

CodeBlock Loading...

This can reduce issues like credential stuffing, registration spamming, and email spamming.