I didn't know if this should go in discussion or here as I imagine this was part intentional.
Because IvParameterSpec is generated on random bytes, whenever you run the application the spec changes between runs, resulting in different encrypted strings on the same raw string (this is the whole point of initialization vectors). This means if you have an EncryptedPassword already saved in the database, you won't be able login using the same password if the application restarts. crypto.encrypt("mypassword") will result in a different EncryptedPassword than what is in the database.
This doesn't seem like a very desirable behavior. What are your thoughts?
Steps to reproduce:
- Run the application and create a user
- login with the created user --> 200 Ok
- Restart the application
- Try logging in with the same user --> 403 Forbidden
To work around this, IV needs to be stored in the users table as well
I didn't know if this should go in discussion or here as I imagine this was part intentional.
Because
IvParameterSpecis generated on random bytes, whenever you run the application the spec changes between runs, resulting in different encrypted strings on the same raw string (this is the whole point of initialization vectors). This means if you have anEncryptedPasswordalready saved in the database, you won't be able login using the same password if the application restarts.crypto.encrypt("mypassword")will result in a differentEncryptedPasswordthan what is in the database.This doesn't seem like a very desirable behavior. What are your thoughts?
Steps to reproduce:
To work around this, IV needs to be stored in the users table as well