Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

JavaScript React Authentication (2019) Implementing Basic Authentication Set up Basic Authentication

Posted by Paul Messmer
Paul Messmer
15,023 Points

Would you still use something like bcrypt?

so the way I understand it is this makes the credentials encoded before sending it to the server. Would you still run the encoded credentials though a program like bcrypt before passing it to the data base?

I assume the answer is yes because it would be one more step of safety built into the website but would still like to know

3 Answers

Jennifer Nordell
seal-mask
STAFF
.a{fill-rule:evenodd;}techdegree
Jennifer Nordell
Treehouse Teacher
Jennifer Nordell
.a{fill-rule:evenodd;}techdegree
Jennifer Nordell
Treehouse Teacher

Paul Messmer Absolutely! No password should ever be saved in the database unencrypted. You would want to save the hash of the password in the database as opposed to saving the password as plain text. Then when the user sends their credentials, you'd compare the hash of what they send to the hash stored in the database server-side. :smiley:

Hope this helps! :sparkles:

Mark Westerweel
seal-mask
.a{fill-rule:evenodd;}techdegree seal-36
Mark Westerweel
Full Stack JavaScript Techdegree Graduate 22,378 Points
Mark Westerweel
.a{fill-rule:evenodd;}techdegree seal-36
Mark Westerweel
Full Stack JavaScript Techdegree Graduate 22,378 Points

Check out the provided link: https://developer.mozilla.org/en-US/docs/Glossary/Base64

The encoding is just to ensure the "username:password" string isn't modified during sending the data. It's in no way more secure than sending in plain text. It just converts the string to ASCII .

from the link:

*btoa(): creates a base-64 encoded ASCII string from a "string" of binary data ("btoa" should be read as "binary to ASCII"). *

also:

atob(): decodes a base64 encoded string("atob" should be read as "ASCII to binary").

Joseph Lander
seal-mask
.a{fill-rule:evenodd;}techdegree seal-36
Joseph Lander
Full Stack JavaScript Techdegree Graduate 27,764 Points
Joseph Lander
.a{fill-rule:evenodd;}techdegree seal-36
Joseph Lander
Full Stack JavaScript Techdegree Graduate 27,764 Points

Yes, taking on Mark Westerweel 's response I also found this answer on StackOverflow further supporting that reasoning.

When we send over data, we cannot be sure that the data would be interpreted in the same format as we intended it to be. So, we send over data coded in some format (like Base64) that both parties understand. That way even if sender and receiver interpret same things differently, but because they agree on the coded format, the data will not get interpreted wrongly.

So I now see this as a similar reason to why APIs we are using on the course mostly use json to communicate. It's a language that's simple and all other languages can interact with it.