Welcome to the Treehouse Community
The Treehouse Community is a meeting place for developers, designers, and programmers of all backgrounds and skill levels to get support. Collaborate here on code errors or bugs that you need feedback on, or asking for an extra set of eyes on your latest project. Join thousands of Treehouse students and alumni in the community today. (Note: Only Treehouse students can comment or ask questions, but non-students are welcome to browse our conversations.)
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and a supportive community. Start your free trial today.
Would you still use something like bcrypt?
so the way I understand it is this makes the credentials encoded before sending it to the server. Would you still run the encoded credentials though a program like bcrypt before passing it to the data base?
I assume the answer is yes because it would be one more step of safety built into the website but would still like to know
Jennifer NordellTreehouse Teacher
Paul Messmer Absolutely! No password should ever be saved in the database unencrypted. You would want to save the hash of the password in the database as opposed to saving the password as plain text. Then when the user sends their credentials, you'd compare the hash of what they send to the hash stored in the database server-side.
Hope this helps!
Check out the provided link: https://developer.mozilla.org/en-US/docs/Glossary/Base64
The encoding is just to ensure the "username:password" string isn't modified during sending the data. It's in no way more secure than sending in plain text. It just converts the string to ASCII .
from the link:
*btoa(): creates a base-64 encoded ASCII string from a "string" of binary data ("btoa" should be read as "binary to ASCII"). *
atob(): decodes a base64 encoded string("atob" should be read as "ASCII to binary").
When we send over data, we cannot be sure that the data would be interpreted in the same format as we intended it to be. So, we send over data coded in some format (like Base64) that both parties understand. That way even if sender and receiver interpret same things differently, but because they agree on the coded format, the data will not get interpreted wrongly.
So I now see this as a similar reason to why APIs we are using on the course mostly use
json to communicate. It's a language that's simple and all other languages can interact with it.