PureKit provides a complete authentication system that replaces simple passwords (or password hashes) with encrypted passwords. This guide shows how to encrypt (harden) user's password and authenticate users with Virgil PHE Service.
Learn more about how Password-Hardened Encryption works here.
Before you begin
Register user at PureKit
To register a user, you have to take the user's password (or its hash) and pass it into the
registerUser function. This function can be used both for new users or the users already registered in your system.
If you're using this function for an already existing user, you can delete their original password (or its hash) from your database after registering the user at PureKit.
If you have a storage with user passwords, you don't have to wait until they log in. You can go through your database and register users at PureKit at any time.
After you've registered the yser, you can authenticate them with the
Read more about PureKit authentication process in the PureKit whitepaper, in Login section.
AuthResult authResult = pure.authenticateUser(userId, password);
In case the user forgot their password, take a look at the User Password Management guide.
Manage user Grant
authResult, obtained with the
authenticateUser function, consists of the
EncryptedGrant. You'll need the
PureGrant for decrypting user's data, and
EncryptedGrant to pass it to the user. Using the Grant, the user can access their data without authenticating for every decryption request until the Grant expires. Basically, the Grant is an equivalent for active user session.
To provide a user with access to their data you need to:
- Authenticate them at the backend with
- Pass the
EncryptedGrantto the user as an access token
- When the user sends a request to the server using their
EncryptedGrant, the server passes it into the
decryptGrantfunction to obtain
- Using the
PureGrant, the server is able to decrypt user's data and send it to the user.
Note that if you're using a custom storage, you'll need to regularly check and delete the Grants from your storage when they expire.
If you need to invalidate the Grant imidiately, you can use the
Start encrypting user's data with PureKit: