1 of 1

Milestone 3 Security Review

Security Review for Littlefish NFT Auth Framework (NPM Package)

Security Measures Implemented in Milestone 3:

Authentication:
- Email/Password Authentication: Uses bcrypt for hashing passwords, ensuring secure storage.
- Cardano Wallet Authentication: Verifies wallet ownership using cryptographic signatures and public keys with @cardano-foundation/cardano-verify-datasignature.
- Asset Authentication: In addition to previous methods, now the package supports NFT and Token authentication.
- On-Chain Verification: Ownership of the assets provided by the wallet is verified by Blockfrost API.
- Authentication Policies: Developers can choose to make their authentication only to allow specific policy IDs. Authentication Policy IDs can be as many as the developer wants.
Data Protection:
- Password Hashing: Uses bcrypt for hashing passwords.
- Nonce Generation: Generates unique nonces using crypto.randomBytes to prevent replay attacks.
- Hex-to-Bech32 Conversion: Safely converts hexadecimal strings to Bech32 format using bech32 for wallet address validation.
Validation Functions:
- String Validation: Ensures non-empty strings.
- Email Validation: Uses regex to validate email formats.
- Password Validation: Uses regex to enforce strong password criteria.
- Wallet Address Verification: Verifies wallet addresses by converting hex to Bech32 and checking signatures.
- PolicyID Verification: Gets all the addresses that owns assets of the provided policy ID on-chain
- Asset Ownership Verification: Verifies ownership of assets for cardano wallets.

Potential Considerations for Future Hardening:

Regular Security Audits:
- Conduct regular security audits and code reviews to identify and fix vulnerabilities promptly.
Dependency Management:
- Regularly update dependencies to incorporate the latest security patches and improvements.

Our Recomendations for the Use of This Package

Secure API Management: Use environment variables or secure vaults to manage API keys and other sensitive configurations.

Milestone 3 Security Review

Security Review for Littlefish NFT Auth Framework (NPM Package)

Security Measures Implemented in Milestone 3:

Authentication:
- Email/Password Authentication: Uses bcrypt for hashing passwords, ensuring secure storage.
- Cardano Wallet Authentication: Verifies wallet ownership using cryptographic signatures and public keys with @cardano-foundation/cardano-verify-datasignature.
- Asset Authentication: In addition to previous methods, now the package supports NFT and Token authentication.
- On-Chain Verification: Ownership of the assets provided by the wallet is verified by Blockfrost API.
- Authentication Policies: Developers can choose to make their authentication only to allow specific policy IDs. Authentication Policy IDs can be as many as the developer wants.
Data Protection:
- Password Hashing: Uses bcrypt for hashing passwords.
- Nonce Generation: Generates unique nonces using crypto.randomBytes to prevent replay attacks.
- Hex-to-Bech32 Conversion: Safely converts hexadecimal strings to Bech32 format using bech32 for wallet address validation.
Validation Functions:
- String Validation: Ensures non-empty strings.
- Email Validation: Uses regex to validate email formats.
- Password Validation: Uses regex to enforce strong password criteria.
- Wallet Address Verification: Verifies wallet addresses by converting hex to Bech32 and checking signatures.
- PolicyID Verification: Gets all the addresses that owns assets of the provided policy ID on-chain
- Asset Ownership Verification: Verifies ownership of assets for cardano wallets.

Potential Considerations for Future Hardening:

Regular Security Audits:
- Conduct regular security audits and code reviews to identify and fix vulnerabilities promptly.
Dependency Management:
- Regularly update dependencies to incorporate the latest security patches and improvements.

Our Recomendations for the Use of This Package

Secure API Management: Use environment variables or secure vaults to manage API keys and other sensitive configurations.