FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Specifying password during user registration.

    Scheduled Pinned Locked Moved
    Q&A
    3
    5
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nishant
      last edited by

      I'm following this tutorial to register a new user via FusionAuth API. Going through this documentation for the endpoint, I found that it expects password for the new user to be sent as plain text. But this would be insecure, assuming the flow looks like My Frontend --> My Backend --> FusionAuth API --> My Backend --> My Frontend. Is there a better way of communicating the password to FusionAuth. Thanks!

      1 Reply Last reply Reply Quote 0
      • danD
        dan
        last edited by

        Hiya,

        First off, we'd recommend having all the flow you outline be over TLS. That's good enough for most major ecommerce systems and so shouldn't be insecure. If you aren't serving your application over TLS, then I'd advise doing so. And note that the flow is actually:

        My Frontend --> My Backend --> FusionAuth API

        There's no password returned from the registration API call.

        If you are concerned about a new user's password being insecurely transmitted through your application, you could use the FusionAuth hosted login pages and theme them to be like your application. (More docs.)

        The other option, which takes encrypted passwords, is the Import Users API, but that's probably not a fit for one off registrations. There are no plans to accept encrypted passwords for one off user registrations. Here's a related issue you can weigh in on/vote up if you'd like. Or feel free to open a new issue if that one doesn't capture the essence of your idea.

        Are there specific security concerns you have around your front end/back end systems that I might be missing?

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 2
        • N
          nishant
          last edited by

          Thanks @dan I think we're going to go with the FusionAuth hosted pages for now.

          1 Reply Last reply Reply Quote 1
          • danD
            dan
            last edited by

            Sounds great, thanks!

            --
            FusionAuth - Auth for devs, built by devs.
            https://fusionauth.io

            K 1 Reply Last reply Reply Quote 0
            • K
              kasir-barati @dan
              last edited by kasir-barati

              Hey @dan,

              Thanks for the invaluable insights sharing. Just one question remains in my mind and that is when to get user to verify their email address in this method of setting their password in one shot?

              Should I set any flag to indicate to FusionAuth to send an email to user for email verification?

              My use case is like this:

              1. User opens mobile app
              2. They will register through my app by sending their name, family, email address, and password.
              3. In my backend I get their req and as aforementioned I am passing those fields to the FusionAuth client (I am using @fusionauth/typescript-client)

              Now I am not sure how to config or let FusionAuth know that it should send an email to the user's entered email address containing a one time use link to verify their email address so that I can be sure they've verified their email address and probably have some sort of law enforcement or restriction based on verified email addresses and not ones.

              Many thanks for your support.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post