From a0384f18d863efbe21d9507a85b1a3416a506bee Mon Sep 17 00:00:00 2001 From: leo Date: Thu, 25 May 2023 11:38:15 +0200 Subject: [PATCH] tex: add more stuff on architecture --- tex/text.tex | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/tex/text.tex b/tex/text.tex index 3b0138f..fbced30 100644 --- a/tex/text.tex +++ b/tex/text.tex @@ -821,12 +821,14 @@ package to prevent accidental imports. The authentication logic is relatively simple and the author would like to isolate it into a custom \emph{middleware}. User passwords are hashed using a -secure KDF before being sent to the database and no raw queries are used to -access the database, helping prevent SQL injection attacks. The KDF used is -\texttt{bcrypt} but the author plans to add support for the more modern -\texttt{scrypt}or the state-of-the-art, P-H-C (Password Hashing Competition) +secure KDF before being sent to the database. The KDF used is \texttt{bcrypt} +(with a sane \emph{Cost} of 10), which automatically includes \emph{salt} for +the password. The author plans to add support for the more modern +\texttt{scrypt} and the state-of-the-art, P-H-C (Password Hashing Competition) winner algorithm \texttt{Argon2} -(\url{https://github.com/P-H-C/phc-winner-argon2}). +(\url{https://github.com/P-H-C/phc-winner-argon2}). Besides, no raw queries are +used to access the database, helping decrease the likelihood of SQL injection +attacks. An important thing to mention is embedded assets and templates. Go has multiple mechanisms to natively embed arbitrary files directly into the binary during @@ -858,8 +860,10 @@ The application constructs the web pages entirely server-side and it runs without a single line of JavaScript, of which the author is especially proud. It improves load times, decreases attack surface, increases maintainability and reduces cognitive load that is required when dealing with JavaScript. Of course -that requires extensive usage of \texttt{POST}s in forms and frequent full-page -refreshes, but that still is not enough to warrant the use of JavaScript. +that requires extensive usage of non-semantic \texttt{POST}s in forms even for +updates (where \texttt{PUT}s should be used) and the accompanying frequent +full-page refreshes, but that still is not enough to warrant the use of +JavaScript. As an aside, the author has briefly experimented with WebAssembly for this project, but has ultimately scrapped the functionality in favour of the