Here’s the scheme for a desktop app that works only when the user is online, registered and has an active license.
So basically, what I want to achieve is, when a user clicks the log-in button in the sketch window, I’d like to get:
-Whether they’re registered or not and whether their license is active or not using their encrypted username from the server side (their password will serve as the encryption key because I don’t want to set a fixed key on the client side). They’re not forwarded to a browser, the sketch should get the data itself.
I’m encrypting it because I don’t it to be exposed.
My question is:
1- How safe and feasible is this?
2- Is there any AES encryption method (or some other method as strong) directly applied within Processing IDE? This tool seems promising as it has both the PHP and the JAVA code. Is it possible to use it in Processing without a JAVA IDE?
Hope I made myself clear.
Any help would be much appreciated.
Have you considered using a premade auth solution? Unless this is for educational purposes, building security from the ground up is maybe not the way to go.
Firebase has a nice auth solution (unique user id, no plaintext pw, auto email recovery) but they’re the only solution I’ve tried so take my suggestion with a grain of salt haha
Is this a desktop app or a web app? I ask because you are referring to a browser and the approach in these two cases are different.
For the web approach, firebase is a good solution as they have standardized the most common login flows. There are other many other options using passport.js and you will need to make it work with your code on the server side.
For a desktop app and if you use java, then you will need to use a client SDK library that manage sessions and use a third party library for encryption. For the latter, it is recommende d"not to do it yourself".
I am assuming you are also working in your server code?
I like what you said: I don’t want to set a fixed key on the client side That is generally good.
On a side note, you said this: using their encrypted username from the server side From the screenshot you share, it seems to me you are passing the encrypt username and the “encrypted” (?) passport in the request and the latter is used to decrypt the former. In other words, you are sending the safe and the key in the same message, not a good idea. My suggestion: do not encrypt the username.
Password encryption is very important and it should be manage by a reputable third party library. You will not need to decrypt the password… ever. You always [1]compared the encrypted versions to the one stored in the DB to validate the session and [2]this is done on the server side. Second, I will not be concerned about encrypting the username, specially if the username is visible in public places. For example, my username here is “kfrajer” so no need to encrypt it if not needed.
Do you want to explore login flows? I can see you are using PHP. I would suggest you pick a PHP book and read the 2 or 3 chapters related to session management and it will give you the foundations to work in your project.
These are some points here and there about sessions. The topic is just wide. I recommend the guides from Kevin, specifically the ones under the server section. He is even around in this forum or you can post questions in his forum.