Specifying password during user registration.
-
I'm following this tutorial to register a new user via FusionAuth API. Going through this documentation for the endpoint, I found that it expects password for the new user to be sent as plain text. But this would be insecure, assuming the flow looks like
My Frontend
-->My Backend
-->FusionAuth API
-->My Backend
-->My Frontend
. Is there a better way of communicating the password to FusionAuth. Thanks! -
Hiya,
First off, we'd recommend having all the flow you outline be over TLS. That's good enough for most major ecommerce systems and so shouldn't be insecure. If you aren't serving your application over TLS, then I'd advise doing so. And note that the flow is actually:
My Frontend
-->My Backend
-->FusionAuth API
There's no password returned from the registration API call.
If you are concerned about a new user's password being insecurely transmitted through your application, you could use the FusionAuth hosted login pages and theme them to be like your application. (More docs.)
The other option, which takes encrypted passwords, is the Import Users API, but that's probably not a fit for one off registrations. There are no plans to accept encrypted passwords for one off user registrations. Here's a related issue you can weigh in on/vote up if you'd like. Or feel free to open a new issue if that one doesn't capture the essence of your idea.
Are there specific security concerns you have around your front end/back end systems that I might be missing?
-
Thanks @dan I think we're going to go with the FusionAuth hosted pages for now.
-
Sounds great, thanks!