Laravel provides standard data encryption/decryption methods, see Encrypt/Decrypt DB fields in laravel. However, the APP_KEY attribute stored in the .env file is used as the shared key for encryption, see https://simonkollross.de/posts/encrypting-laravel-eloquent-attributes-using-a-custom-cast. Thus, any administrator of the hosting can easily access this key and decrypt the secret data. In my existing project, the data of each user is encrypted at the mySQL level under by his own key, that is the user's password for the application.
Is it possible to implement in Laravel Eloquent the ability to encrypt user data under his own password (key), which will be unknown for the server administrator?
Related
I have installed WSO2 IS 6.0.0 and it is working. I have even configured Service Providers which are working fine.
Now I have my own MYSQL Database which has its own table(local_users) with users in it. There are around 10 users.
I want those users to be able to log in to WSO2 MYAcount using a username and password from the "local_users" Table and not WSO2 User Store.
I have read the documentation here which seems to only create WSO2 tables in MYSQL Database. But it doesn't take my table(local_users) from the same Database. I didn't find any option to give my table name or column name.
So my question is, is it possible to incorporate your own MYSQL DB Table with WSO2 Identity Server?
You can plug your own database which has user data as a userstore to WSO2 IS.
For that, you have to write a custom userstore manager to manage the user store, because the DB schema is different than the schema used in WSO2 default userstores.
Refer to https://nishothan-17.medium.com/custom-user-store-manager-for-wso2-identity-server-5-11-0-6e23a4ddf1bb this guide for more information on writing a custom userstore manager and plug your own userstore to WSO2 IS.
I need to use AWS Cognito user authentication service with my React-Native app and also store user data through my mysql database from my laravel backend..
is there a way after user is registered in aws cognito, to send all its data to my mysql database and store it in my users table? like the email, name, cellphone
so after I can be able to use my 'mysql' database to makes queries inside my app..
Thanks in advance..
You can use Cognito Trigger for it, for example
Documentation
Example
I have a request from a customer and I am quite sure the answer is no, but wondering if someone has a different answer.
Background
As you know MySQL installation create a database called "mysql" where it stores the databases we create and also the users.
In the user table, there is a field called "authentication_string" where the user password is saved.
Project
On this project each time a customer creates an account a new database user and database is created.
When a customer logs in through a web interface, the system calls an API to authenticate him/her. After that the root db user is used to connect to customer database, not their own database credentials, why? because they do not want to save user and password on database (this is a temp solution)
They want to change the application so after authentication/authorization process and they would somehow only needed root credentials to somehow get user and password from "mysql db" and then use them to create the connection using customer db credentials.
Is this possible? Or is there some mysql parent - children configuration where this scenario is possible?
Project uses MySQL 5.7
From what I can understand I think you could just use MySQL’s SET PASSWORD to set some random strong password for the user and then login using that. This way you would not store anything and it would still be pretty secure assuming your root db access is fairly isolated from the thing that’s trying to login as the user.
For example:
SET PASSWORD FOR some_user = <long-strong-randomly-generated-password-string>
Afterwards you return this <long-strong-randomly-generated-password-string> from your access-providing process and then the user process can login using that. In this case it would stay valid until the next SET PASSWORD, so keep that in mind, but depending on your use-case that might be ok.
When deploying Reporting Services Reports, I get the following error:
EXCEPTIONMESSAGE:System.Web.Services.Protocols.SoapException: The report server cannot decrypt the symmetric key that is used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content.
Open up Reporting Services Configuration Manager
Encryption Keys
Delete Encrypted Content
You will need to reset your encryption keys. To do that:
Open Reporting Services Configuration Manager and select 'Encryption keys' tab
Click 'Delete' in 'Delete Encrypted Keys' section:
You will need to reset all connection strings and db credentials for all your data sources.
And deleting the keys will not delete any data on the server. You reports will be fine, however your connection settings (data sources) will be gone. You will have to re create the connection for the reports.
You have to delete the encryption key because something is wrong with the encryption. Some setting must have changed. If you do not have a backup key, you have no other choice. Delete, create a new one, and create new connection strings.
Not a big problem.
In the web-application I'm developing I currently use a naive solution when connecting to the database:
Connection c = DriverManager.getConnection("url", "username", "password");
This is pretty unsafe. If an attacker gains access to the sourcecode he also gains access to the database itself. How can my web-application connect to the database without storing the database-password in plaintext in the sourcecode?
You can store the connection string in Web.config or App.config file and encrypt the section that holds it. Here's a very good article I used in a previous project to encrypt the connection string:
http://www.ondotnet.com/pub/a/dotnet/2005/02/15/encryptingconnstring.html
In .NET, the convention is to store connectionstrings in a separate config file.
Thereon, the config file can be encrypted.
If you are using Microsoft SQL Server, this all becomes irrelevant if you use a domain account to run the application, which then uses a trusted connection to the database. The connectionstring will not contain any usernames and passwords in that case.
I can recommend these techniques for .NET programmers:
Encrypt password\connection string in config file
Setup trusted connection between client and server (i.e. use windows auth, etc)
Here is useful articles from CodeProject:
Encrypt and Decrypt of ConnectionString in app.config and/or web.config
Unless I am missing the point the connection should be managed by the server via a connection pool, therefore the connection credentials are held by the server and not by the app.
Taking this further I generally build to a convention where the frontend web application (in a DMZ) only talks to the DB via a web service (in domain), therefore providing complete separation and enhanced DB security.
Also, never give priviliges to the db account over or above what is essentially needed.
An alternative approach is to perform all operations via stored procedures, and grant the application user access only to these procs.
Assuming that you are using MS SQL, you can take advantage of windows authentication which requires no ussername/pass anywhere in source code. Otherwise I would have to agree with the other posters recommending app.config + encryption.
Create an O/S user
Put the password in an O/S environment variable for that user
Run the program as that user
Advantages:
Only root or that user can view that user's O/S environment variables
Survives reboot
You never accidentally check password in to source control
You don't need to worry about screwing up file permissions
You don't need to worry about where you store an encryption key
Works x-platform