Reputation: 1437
What's a reasonably secure way to store credentials at rest for use in a screen scraping application?
By virtue of PhantomJS, CasperJS allows you to specify a JSON file to load when the application starts. I have my credentials stored in this file, which is a little better than having it hardcoded in the source file:
var json = require('testfile.json');
var username = json['username'];
var mykey = json['mykey'];
I still have my credentials stored in plain text on the server, which I'd like to get far away from. This process will be automated, so I can't pass in the credentials via command line arguments each time it runs, nor do I want to store the arguments in Windows Task Scheduler. What's a secure way to store this information at rest?
Upvotes: 4
Views: 1409
Answers (1)
Reputation: 67
Using the functions listed on this page:http://lollyrock.com/articles/nodejs-encryption/
I was able to build the following proof of concept for my own needs:
var crypto = require('crypto');
var algorithm = 'aes256';
var password = 'correcthorsestaplebattery';
var string = "Something I\'d like to encrypt, like maybe login credentials for a site I need to scrape.";
console.log('\n\nText: ' + string);
var encrypted = encrypt(new Buffer(string, "utf8"), algorithm, password);
console.log('\n\nEncrypted: ' + encrypted);
var decrypted = decrypt(encrypted, algorithm, password).toString('utf8');
console.log('\n\nDecrypted: ' + decrypted);
// check to prove 2-way encryption works
console.log('\n\nAre they the same before and after crypto? ');
console.log(decrypted == string);
function encrypt(buffer, algorithm, password){
var cipher = crypto.createCipher(algorithm,password)
var crypted = Buffer.concat([cipher.update(buffer),cipher.final()]);
return crypted;
}
function decrypt(buffer, algorithm, password){
var decipher = crypto.createDecipher(algorithm,password)
var dec = Buffer.concat([decipher.update(buffer) , decipher.final()]);
return dec;
}
This uses AES256, which should be as secure as 2-way encryption can be, although I'm not advanced enough to comment on the implementation. It's better than plain text anyway.
From this, you could easily write the output to a file instead of the console as shown. As long as you're just parsing a file containing JSON, you would just have to add the step of decrypting before interpreting it.
I hope this helps.
Upvotes: 1
Related Questions
- Storing passwords to login to third party APIs
- Which is the best way to store sensitive credentials in Node.js?
- Extracting (scraping) data from the web app which requires to log in [Node.js]
- Secure storage of credentials for screen scraping
- How to store third-party credentials (no api, no OAuth) for automatic reuse?
- How to go about creating temporary authentication for a website?
- screen scape node.js with authentication
- PhantomJS / CasperJS - keep session open indefinitely and interact with it via HTTP?
- Casper.js to fill out browser username and password?
- Simple REST Authentication Strategy?