Is it safe to encrypt a user’s third party API key with their own password?

I’m running a node application which needs to make calls to a third party API, on behalf of my user, using their own API keys.

API calls only need to be made on behalf of the user while they are logged into my site.

Currently I use bcrypt to hash and compare their password:

bcrypt.hash(req.body.password, 12, function (err,   hash) {..., users[req.body.username]['password'], function (err, result) {... 

I thought when a user adds their API key to the website I could require their password again, and after validating the password, I could use the encryption method Here to encrypt it (with their plaintext password as the key)

When a user logs in, I could validate their password, decrypt their API key using method from link above (and their password), and store the API key in plain text using express-sessions, ready for making calls on user request.

With this method if the user losses the password they will have to reset their API keys. I’m happy to accept that trade off.

Is this approach safe or is there something I’m overlooking?

What is the best way to restrict /proc fs from malicious users (linux)?

I am trying to make a restriction to procfs like only a certain groups of members can perform read and write actions.

kernel document says we can do that by setting hidepid and gid in /etc/fstab. It will restrict the malicious user from making read and write on procfs but I have a doubt whether it is possible for malicious user (restricted in the /etc/fstab) to access content in profs using syscall instead of fs operation like read and write.

Prevent users from installing windows OS in PC

I have hp compac desktop and I want to stop children from accessing the bad stuff on the internet so for this purpose I have installed “Qustudio” app in my PC which can not be uninstalled without my email account. But there is one method by which they can uninstall it, they can install a new window to remove the previous version. My question is, “How can I stop them from installing windows”? (BIOS BOOT menu password, I guess)

Hong Kong webhost for Chinese users? Advice please! [closed]

I am planning to create a website that mainly aimed towards Chinese users from mainland China. As you probably know, China is a huge pain in the buttocks when it comes to web hosting and everything internet related in general. Without a vpn, 99% of websites hosted in foreign countries are either blocked or extremely slow when viewed from China. Hong Kong kind of works like a bridge between China and the rest of the world.

Could someone please recommend a web host in Hong Kong that offers good speeds for mainland visitors? Google does not really help as the “top 10 web host blabla” is just BS from people trying to make money.


If email can replace SMS/MMS, why using these is “imposed” on phone/smartphone users

In the last two years I am in a process of web application usage minimalism;
I have generally completely stopped using any web application for general communication besides my email account. For example, generally I won’t use:

  • Facebook, or any product of Facebook, inc (I have no Facebook account for two years now).
  • VoIP applications such as Line, Kik, Viber, Tango, Telegram and so forth.

I generally use just email, phone and SMS respectively;
Generally, so far, this made me feel happier and gave me lots of time for other activities.

I am not against using “old school” communications such as pneumatic tube, Fax, and SMS or MMS and I use SMS myself about once in two days.

I think Pneumatic tube and Fax, for example, are great concrete technologies for transferring secret messages in closed organizations.

My problem

As I am not an IS expert, I have a trouble to understand why, since the releasing of the world wide web to the general public in 1993 (Email was existing from the 60’s and 70’s but only between government institutions and universities), are SMS/MMS still needed, at least as a standard “imposed” on all phone/smartphone machine users in this planet.

I think I will not be the only “minimalist” to ask a question about this.

My question

If email can replace SMS/MMS, why using these is “imposed” on phone/smartphone users?

I emphasize that I have nothing against SMS/MSS and as clued, I myself use them often but just wonder I why must do so, although a “minimalist” as described (I would ask if there is a way to bypass that need but as of 2020 I don’t think it is possible with any telephony-oriented devices).

Preventing Users from Using QR Code Password and Scanner for Authentication

A user was discovered using a QR code to log into a PC. Apparently, the password was put into a QR code generator and printed. The user:

  1. Provides their username
  2. Scans the QR code with a handheld scanner and is granted access

Our company utilizes handheld scanners for a variety of reasons so it is not feasible to use endpoint protection USB device control to block all scanners or brands of scanners. This user also uses handheld scanners for everyday work duties. We are curious of a creative way to prevent this technically. We also plan on addressing this administratively through policy. One idea was floated that if possible (through GPO):

  1. Having a startup script to disable scanners
  2. A log off script to disable scanners
  3. A login script to re-enable the scanner

The handheld scanner apparently shows as a generic HID keyboard in device manager. Does anyone know of a feasible way to block this or perhaps an alternative solution to the problem (blocking the device at login)? Thank you!

Securing an API for 3rd party users

I’m having issues finding the right language to search for answers to my problem so hopefully I can explain it here.

I am trying to create an API that will be accessed by a 3rd party. This 3rd party authenticates their users using some unknown system (they use something like auth0 or Okta). Their web application will be making requests to our API on behalf of the users. We need to validate the these requests are coming from authenticated users from the specific 3rd party, but we don’t want to keep track of the 3rd party’s users. We need these requests to have tokens containing claims pertaining to the individual user, but it would be up to the 3rd party to handle these claims.

Is what I’m describing here possible? I’ve been reading up on Federated SSO, but it doesn’t quite seem to solve the problem that we’re having.