The backend services that I am consuming requires me to pass a security token in the API header. Hence, I am looking for a secured way to store Private keys and other API tokens in the frontend using React.js
I have explored a few options like,
- Storing the private key in a config file and include it in bundle. Easiest option but a very bad one as it is easily exposed for obvious reasons.
- Having a separate backend service that adds the required header and forwards the request to the actual backend service. This might work, but it would add other problems like additional network latency, security of the new service
- Having a proxy service (Backend for frontend pattern). Again, additional network latency and security might be a problem.
- Storing the key in session or localstorage – When a user logs in, get the private key from the login API after successful authentication and store it in browser’s session storage and clear upon logout.
I am liking the option to get the keys from a secured backend API. Is this a safe option? Are there any risks associated with this?
What is the best approach for me here ? and are there any other options that I am missing?
Thanks in advance.
2
Answers
You cannot store the secret key in a config file or local storage because anyone can access that and use that secret key to try to hack your application.
And as you mentioned creating a separate backend service just for passing the secret key is not a good idea as it will add some more time for your request to reach the backend.
Solution
I would suggest creating a function in the backend that generates two keys, One will be sent to the user and the second will be stored in the database with the reference to that user.
Then you can send a request from the frontend with that public key and in the backend you can verify that public key using the private key that you have stored for that user.
There are some encryption algorithms that you can use for this purpose. E.g.:- Advanced Encryption Standard (AES), Triple DES, RSA Security.
I have a suggestion. Instead of storing the private key as a plain text, how about encrypting the private key with a password (this password is not stored anywhere) and whenever you need to retrieve the private key, you ask the user to enter the password first and then you decrypt the private key with the password and then use to sign transactions or do whatever you want with it.
Also, I think it will be a robust option to use something like AWS Secrets Manager (Check here) to store the private keys. Using such service will abstract you from the headache of securing sensitive data over the network and it does not have so much network latency as well.
It is not really storing the keys in the UI but I think that it can work just fine with your use case. Tell me your insights about this, I am interested about the topic as well.