Hashing a value in response data from a REST API endpoint to frontend
We are using video call/chat services from a third-party company and we create tokens and channel names to use their chat services in our platform. After our FE requested from our BE for credentials (token and channel name) endpoint responses back with token and channel name information. The third-party system does not create the tokens for specific channel name so it is quite possible to obtain one chat token and as long as you know or guess the chat channel name you can join and text freely. In order to prevent this happening, we are to hash/encrypt the channel names sent in our responses to FE so that the actual channel name won’t be visible in plain text.
What’s the best way to do this?
BE: Django FE: Vue.js
Thanks
You can use python’s builtin lib: hmac. An example:
CHAT_SERVICE_SECRET_KEY is a key you set yourself in your settings.py
hashed_channel_name = hmac.new( settings.CHAT_SERVICE_SECRET_KEY.encode('utf8'), channel_name.encode('utf8'), channel_token.encode('utf8'), digestmod=hashlib.sha256 ).hexdigest() this value can be the response in the frontend.
