Comments (5)
aboodman
commented on May 25, 2024
2
Yeah, this is a common request.
We've resisted because encrypting the data within a user account is not a way to prevent two users sharing a login from seeing each others' data. User A could simply install a browser extension that snarfs all data out of the browser when user B logs in. This can be done even if no data is stored in IDB. And encrypting the data in IDB doesn't help.
There is no secure way to allow two users to use the same login. The purpose of user accounts on computers is to keep user data separate from each other. There is not a way to achieve that other than using accounts.
That all said, if you do want to encrypt data stored in Replicache you can do so. You can communicate a key to the client at login time and encrypt all your values before you store them, and decrypt on read.
We don't provide a facility for it because we don't want to encourage a false sense of security, but it's easy enough to do in user code if you want.
from replicache.
arv
commented on May 25, 2024
Why is it not enough to secure the browser managed database files using user account permissions?
What is different between them viewing it in an app vs viewing it through devtools or by loading the indexeddb files in some third party tool?
from replicache.
DaveMBush
commented on May 25, 2024
Most importantly, because my security team won't let me store anything into indexDb unless it is not sensitive or it is encrypted with a security key unique to each user who logs in.
Say user A logs in and views their data which is stored into indexDb and it has sensitive data. Medical records, legal documents, or tax information.
User B logs in to view their data, and should not be able to see user A's data. But because it isn't encrypted and they are on the same domain, they can see everything that was stored for user A.
In an ideal implementation, User A would have their own data storage or sets of storage) and user B would have their own storage. Each would be encrypted with unique keys so neither can see the other's information.
from replicache.
aboodman
commented on May 25, 2024
Also, User A's data will almost certainly be unencrypted in the HTTP cache on the browser when User B logs in -- unless you are being very careful to prevent that.
from replicache.
arv
commented on May 25, 2024
Another thing you could do to make your security team happier is to use a checkbox when you log in saying something like "This is a shared computer" which when checked does not store anything locally. You can replace the persistent storage layer in Replicache with an in memory one using the experimentalKVStore API.
from replicache.
Related Issues (20)
- Expose `mutationID` on `WriteTransaction` HOT 4
- Poor errors for invalid pusher return type HOT 3
- Replicache should operate in-memory on Firefox/Private mode
- Interactive tutorial for doc homepage HOT 2
- Missing nulls in typings
- Discrepancies in Typescript declarations HOT 3
- Support collecting old client records from server HOT 1
- [questions] migration + space + production HOT 8
- Document spaces HOT 2
- Consider adding WriteTransaction.merge() convenience HOT 1
- User Request: Support devalue or other alternate serialization format
- ReadTransaction.scan ignores limit option when an indexName is provided
- Add support for other JavaScript types to indexes HOT 3
- RFE: Add a push() method HOT 4
- Question: Subscribing to all changes? HOT 2
- Caching pulls for high scale HOT 1
- RFE: A way to know if/when at least one sync has happened
- Obtaining the version number of the domain object that was last know to the a client? HOT 1
- Invalid ref count during persist HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from replicache.