• 0 Posts
  • 4 Comments
Joined 1 year ago
cake
Cake day: October 13th, 2023

help-circle


  • In addition to the excellent points made by steventhedev and koper:

    user.password = await hashPassword(user.password);

    Just this one line of code alone is wrong.

    1. It’s unclear, but quite likely that the type has changed here. Even in a duck typed language this is hard to manage and often leads to bugs.
    2. Even without a type change, you shouldn’t reuse an object member like this. Dramatically better to have password and hashed_password so that they never get mixed up. If you don’t want the raw password available after this point, zero it out or delete it.
    3. All of these style considerations apply 4x as strongly when it’s a piece of code that’s important to the security of your service, which obviously hashing passwords is.

  • I don’t trust them first off, but even trusting them to not voluntarily disclose it doesn’t mean they won’t have a security breach and disclose it involuntarily. Also, the database has to be created and queried somehow; some employees and govt workers will be able to see what queries are made. Even trusting the business and the govt and the security of both, I don’t trust those random people having access to that info.

    What evidence do you have to give the website that you are person X that they’re running the database query against? If that’s an ID there’s going to be some available online, or a kid can just sneak it from the parent. Everything I’ve heard proposed for the identification strategy is either grossly invasive or quite easy to step over.

    I don’t believe that Canada will actually enforce this across all websites. If they do it on only the large/main ones, it makes it harder for kids to access the relatively safe and legal porn hosted on sites making effort to follow the law, and pushes them towards sites that aren’t making such an effort and therefore probably have more objectionable content.