Stop Transmitting Passwords in Plain Text

· / ·

reads

AI TranslationSimplified ChineseEnglish

Key Insights

AI · GEN

Foreword

Recently, I used Next.js to build some full-stack projects, and used better-auth for user authentication.

However, in practice, I found that AI-generated code often transmits passwords in plain text. Although HTTPS is normally used in production and TLS encryption is already in place at the transport layer, this doesn't mean you can casually stuff plaintext passwords into request bodies.

HTTPS only ensures transport security between the browser and the TLS termination point (e.g., nginx). Passwords still appear in plaintext at the reverse proxy, gateway, logs, database, etc. This means anyone with access to these can easily log into everyone's accounts. For personal projects, you might ignore password encryption, but it's clearly not acceptable for a product.

Hence this blog post, explaining how to apply RSA asymmetric encryption to passwords at the application layer when using better-auth. Perhaps feeding this material to AI can help implement similar solutions in other projects, but please comply with the MIT license for attribution, see the end of the article.

Overall Flow

The user enters the password in the browser.
The frontend reads NEXT_PUBLIC_RSA_PUBLIC_KEY.
Encrypt the password using RSA-OAEP.
The encrypted package includes a timestamp, random salt, request ID, and HMAC signature.
The frontend sends the encrypted string to better-auth.
The server decrypts within better-auth's password.hash / password.verify.
Finally, only the bcrypt hash is stored in the database.

Throughout the flow, the plaintext password only appears when the user enters it.

Client-Side Encryption

CodeBlock Loading...

Here, we didn't just encrypt the password itself; instead, we put several fields together into the RSA ciphertext:

TEXT

password|timestamp|salt|requestId

Where:

password is the original password entered by the user.
timestamp is used to determine if the request has expired.
salt ensures that the same password produces different ciphertext each time.
requestId is used to prevent replay attacks.

On the login page, before submitting to better-auth, rsaEncrypt is called first.

CodeBlock Loading...

The same applies during registration:

CodeBlock Loading...

This way, when capturing packets, the password field is no longer the original password but an RSA-encrypted data package.

Server-Side Decryption

First, decrypt with the private key:

CodeBlock Loading...

Then perform unified validation:

CodeBlock Loading...

Here, several things are done:

Check the encrypted package format.
Check if the timestamp has expired.
Check if the requestId has already been used.
Decrypt with the RSA private key.
Check if the outer timestamp matches the inner timestamp.
Check if the outer request ID matches the inner request ID.
Verify the HMAC signature.
Return the bcrypt hash of the password.

Deduplication of requestId uses Redis:

CodeBlock Loading...

That is, only the first request can be written successfully; subsequent reuse of the same requestId will be rejected, preventing replay attacks.

The commands to generate the public/private key pair are as follows:

CodeBlock Loading...

Of course, using ssh-keygen directly is also feasible, and it's essential to ensure the security of the private key.

Integrating with better-auth

better-auth handles email/password login by default, but here we need to customize the password handling logic to implement encryption and hashing.

CodeBlock Loading...

There's a detail here: better-auth's minPasswordLength is set to 1, and maxPasswordLength to 4096.

The reason is that what's passed to better-auth is no longer the original password but the RSA-encrypted data package. If the default length limits were kept, it would easily be intercepted at the better-auth layer.

If you need to limit the password length, it can only be done in the client-side rsaEncrypt.

Of course, better-auth only requires password verification in login and registration scenarios by default. For places like changing passwords or deleting accounts, just reuse rsaEncrypt and rsaDecryptAndValidate.

Other Security Configurations for better-auth

In addition to password encryption, you can also configure some security options when initializing betterAuth:

CodeBlock Loading...

The meanings are roughly as follows:

Do not disable CSRF checks.
Use Secure Cookie in production.
Set Cookie httpOnly.
Set Cookie sameSite: "lax".

And rate limiting for login, registration, and password reset:

CodeBlock Loading...

This can reduce issues like credential stuffing, registration spam, and email spam.

Foreword

Recently, I used Next.js to build some full-stack projects, and used better-auth for user authentication.

Overall Flow

The user enters the password in the browser.
The frontend reads NEXT_PUBLIC_RSA_PUBLIC_KEY.
Encrypt the password using RSA-OAEP.
The encrypted package includes a timestamp, random salt, request ID, and HMAC signature.
The frontend sends the encrypted string to better-auth.
The server decrypts within better-auth's password.hash / password.verify.
Finally, only the bcrypt hash is stored in the database.

Throughout the flow, the plaintext password only appears when the user enters it.

Client-Side Encryption

export async function rsaEncrypt(password: string, publicKey: string): Promise<string> {
  const timestamp = Date.now().toString();
  const salt = generateSalt(16);
  const requestId = generateRequestId();
  const dataToEncrypt = `${password}|${timestamp}|${salt}|${requestId}`;
  const publicKeyObj = forge.pki.publicKeyFromPem(
    `-----BEGIN PUBLIC KEY-----\n${publicKey}\n-----END PUBLIC KEY-----`,
  );
  const encrypted = publicKeyObj.encrypt(dataToEncrypt, "RSA-OAEP", {
    md: forge.md.sha256.create(),
    mgf1: {
      md: forge.md.sha256.create(),
    },
  });
  const encryptedData = forge.util.encode64(encrypted);
  const hmacKey = forge.md.sha256.create()
    .update(timestamp + salt)
    .digest()
    .toHex();
  const signature = computeHMAC(encryptedData, hmacKey);
  return `${encryptedData}$${signature}$${timestamp}$${requestId}`;
}

CodeBlock Loading...

Here, we didn't just encrypt the password itself; instead, we put several fields together into the RSA ciphertext:

TEXT

password|timestamp|salt|requestId

Where:

password is the original password entered by the user.
timestamp is used to determine if the request has expired.
salt ensures that the same password produces different ciphertext each time.
requestId is used to prevent replay attacks.

On the login page, before submitting to better-auth, rsaEncrypt is called first.

await authClient.signIn.email({
  email: formData.email,
  password: await rsaEncrypt(formData.password, publicKey),
  rememberMe,
  callbackURL: callbackUrl,
});

CodeBlock Loading...

The same applies during registration:

await authClient.signUp.email({
  email: formData.email,
  password: await rsaEncrypt(formData.password, publicKey),
  name: formData.name,
  organization: formData.organization,
  callbackURL: "/sign-up",
});

CodeBlock Loading...

This way, when capturing packets, the password field is no longer the original password but an RSA-encrypted data package.

Server-Side Decryption

First, decrypt with the private key:

const rsaDecrypt = (encryptedData: string): string => {
  const encryptedBytes = forge.util.decode64(encryptedData);
  const privateKey = forge.pki.privateKeyFromPem(privateKeyText);
  const decryptedBytes = privateKey.decrypt(encryptedBytes, "RSA-OAEP", {
    md: forge.md.sha256.create(),
    mgf1: {
      md: forge.md.sha256.create(),
    },
  });
  return decryptedBytes;
};

CodeBlock Loading...

Then perform unified validation:

export const rsaDecryptAndValidate = async (encryptedPackage: string): Promise<string> => {
  const parts = encryptedPackage.split("$");
  if (parts.length !== 4) {
    throw new Error("无效的数据包格式");
  }
  const [encryptedData, signature, timestampStr, requestId] = parts;
  if (!validateTimestamp(timestampStr)) {
    throw new Error("请求已过期，请重试");
  }
  const isNew = await validateRequestId(requestId);
  if (!isNew) {
    throw new Error("无效的请求，请重试");
  }
  const decryptedData = rsaDecrypt(encryptedData);
  const dataParts = decryptedData.split("|");
  if (dataParts.length !== 4) {
    throw new Error("无效的数据格式");
  }
  const [actualPassword, innerTimestamp, salt, innerRequestId] = dataParts;
  if (innerTimestamp !== timestampStr) {
    throw new Error("数据完整性验证失败");
  }
  if (innerRequestId !== requestId) {
    throw new Error("数据完整性验证失败");
  }
  const hmacKey = forge.md.sha256.create()
    .update(timestampStr + salt)
    .digest()
    .toHex();
  const expectedSignature = computeHMAC(encryptedData, hmacKey);
  if (signature !== expectedSignature) {
    throw new Error("数据完整性验证失败");
  }
  if (!actualPassword) {
    throw new Error("密码不能为空");
  }
  return actualPassword;
};

CodeBlock Loading...

Here, several things are done:

Check the encrypted package format.
Check if the timestamp has expired.
Check if the requestId has already been used.
Decrypt with the RSA private key.
Check if the outer timestamp matches the inner timestamp.
Check if the outer request ID matches the inner request ID.
Verify the HMAC signature.
Return the bcrypt hash of the password.

Deduplication of requestId uses Redis:

const result = await redisClient.set(key, "1", {
  NX: true,
  EX: REQUEST_ID_TTL,
});

CodeBlock Loading...

That is, only the first request can be written successfully; subsequent reuse of the same requestId will be rejected, preventing replay attacks.

The commands to generate the public/private key pair are as follows:

BASH

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private_key.pem
openssl rsa -in private_key.pem -pubout -out public_key.pem

CodeBlock Loading...

Of course, using ssh-keygen directly is also feasible, and it's essential to ensure the security of the private key.

Integrating with better-auth

better-auth handles email/password login by default, but here we need to customize the password handling logic to implement encryption and hashing.

export const auth = betterAuth({
  emailAndPassword: {
    enabled: true,
    minPasswordLength: 1,
    maxPasswordLength: 4096,
    requireEmailVerification: true,
    password: {
      hash: async (password) => {
        const decryptedPassword = await rsaDecryptAndValidate(password);
        return bcrypt.hash(decryptedPassword, 10);
      },
      verify: async ({ hash, password }) => {
        const decryptedPassword = await rsaDecryptAndValidate(password);
        return bcrypt.compare(decryptedPassword, hash);
      },
    },
  },
});

CodeBlock Loading...

There's a detail here: better-auth's minPasswordLength is set to 1, and maxPasswordLength to 4096.

If you need to limit the password length, it can only be done in the client-side rsaEncrypt.

Other Security Configurations for better-auth

In addition to password encryption, you can also configure some security options when initializing betterAuth:

advanced: {
  disableCSRFCheck: false,
  useSecureCookies: isProduction,
  defaultCookieAttributes: {
    sameSite: "lax",
    httpOnly: true,
    secure: isProduction,
    path: "/",
  },
}

CodeBlock Loading...

The meanings are roughly as follows:

Do not disable CSRF checks.
Use Secure Cookie in production.
Set Cookie httpOnly.
Set Cookie sameSite: "lax".

And rate limiting for login, registration, and password reset:

rateLimit: {
  enabled: isProduction,
  customRules: {
    "/sign-up/email": {
      window: 60,
      max: 1,
    },
    "/request-password-reset": {
      window: 60,
      max: 1,
    },
    "/sign-in/email": {
      window: 30,
      max: 5,
    },
  },
}

CodeBlock Loading...

This can reduce issues like credential stuffing, registration spam, and email spam.