POSTing user credentials isn't secure

[ilanbiala]

In the $scope.signin function definition, there is a POST request that just sends someth:

{
  user: 'johndoe',
  password: 'jdoe123'
}

Is there no better way to transport this data, because users can just open dev tools and copy the user/pass combo or set up an HTTP request tracker and get that from a victim's computer.

[yoneal]

Encryption is usually handled by tunneling transport through HTTPS.

[jloveland]

I have a PR out for HTTPS. Please take a look.

There is a salt and hash function for the user schema. We should look into making this stronger. Such as

• using a slower hashing algorithm .. pbkdf2 or bcrypt.
• some more info here

[ilanbiala]

@jloveland what is wrong with the hashing we are using now? I get that it isn't the best, but the tradeoff probably isn't worth it for most people and they can change it if they want.

[jloveland]

@ilanbiala, I didn't review all the code. I see there's nothing wrong with the way the hashing is working...looks like mean is using crypto.pbkdf2Sync here. This is great because it's following the NIST Special Publication 800-132 guidelines.

I agree that if people want different crypto, they can just change it.

[jloveland]

Pull Request #140 has been merged. @roieki , can this be closed or are there other concerns?