Feature request: Encrypted storage about store.js HOT 9 CLOSED

Hi Piotr,

Thanks for the suggestion! Since encryption does not address the goal of
store.js (create cross-browser storage) I'm hesitant to add it. What are
your thoughts about this?

Cheers!
Marcus

On Sat, Jul 14, 2012 at 5:30 AM, Piotr <
[email protected]

wrote:

Goal

Use encryption for storing data for non-public app areas.

Description

As far as I know, browsers store DOM storage on disk in unencrypted files,
DOM storage is accessible from all domain paths (except IE UserData) and
doesn't expire.

This may be considered as security issue on shared workstations in cases
when client-side app doesn't clear user data (browser crash/ closed window)
or browser decides to keep them (temporary files).

I see the simplest solution in encrypting storage data after serializing
to JSON and decrypt before deserializing.

It's up to the developer to come up with idea how to obtain secure key/
token; assuming encrypted storage makes sense for non-public areas (user is
logged in), one can possibly use server-side unique session token.
Once server-side session expires, token is not available anymore. When
there is no token, previously saved data theoretically become undecryptable
junk (and may be removed client-side on next execution).

This should limit access to user data.

Drawback: Storage values take quite more space (depends on encoding);

Inspiration: dojo.storage.encrypted

Implementation

Configuration for Crypto.js, but
any crypt library with methods encrypt( value ) and decrypt( encrypted ) should work:

store.crypt = {
        key: App.token, // ie. 'c015dc1d6028a6815ac944c8512c10db',
        encrypt: function( plaintext ) {
                return CryptoJS.AES.encrypt( plaintext, this.key
).toString();
        },
        decrypt: function( encrypted ) {
                return CryptoJS.AES.decrypt( encrypted, this.key
).toString( CryptoJS.enc.Utf8 );
        }
}

Proposed changes to store.js code (didn't test):

store.serialize = function(value) {

        var serialized = JSON.stringify( value );

        if ( store.crypt ) { serialized = store.crypt.encrypt( serialized
); }

        return serialized;
}


store.deserialize = function(value) {

        if ( typeof value !== 'string' ) { return undefined; }

        if ( store.crypt )
        {
                try {
                        value = store.crypt.decrypt( value );
                } catch (e) {
                        return undefined;
                }
        }

        return JSON.parse( value );
}

I'd like to discuss this idea with more proficient developers as I don't
have much experience with client-side encryption.

---

Reply to this email directly or view it on GitHub:
#50

from store.js.

Hi Marcus.

I get your point. Anyway I'd like to see a flexible way to inject such data processor. In my proposal, encryption in store.js code is mentioned only in function name, another scenario could be string compression.

Didn't come up with any meaningful names so:

in serialize:

if ( store.decode )
    serialized = store.decode( serialized ); // afterSerialize/ beforeSave / postProcess

in deserialize:

if ( store.encode )
    value = store.encode( value ); // beforeDeserialize / afterLoad / preProcess

If you still think it's not a good idea, no big deal.

from store.js.

My suggestion is that you create a fork of store.js with encryption implemented. I would definitely link to it from the readme.

from store.js.

please keep store.js lean.

Rather than a fork, submitter might want to create their own separate js library that depends upon store.js for it's the actual storage, but has it's own methods to call to do so with encryption.

from store.js.

I agree.

from store.js.

Me too.

Wys³ano z Samsung Galaxy Note ICS
2 lis 2012 17:01, "Nashorn" [email protected] napisa³(a):

I agree.

Reply to this email directly or view it on GitHubhttps://github.com//issues/50#issuecomment-10019166.

from store.js.

Thanks for weighing in everyone - I'll close this for now.

Cheers!

from store.js.

Thanks for opinions.
Although I think this is pretty important, its quite easy (and probably more generic solution) to overwrite native methods when project nature requires so.

from store.js.

Store.js v2.0 has been released with support for plugins! See https://github.com/marcuswestin/store.js#user-content-write-your-own-plugin for a quick description of how to write one.

If you're up for writing one I'll definitely accept a PR!

from store.js.