summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/models/user.js16
-rw-r--r--lib/web/auth/email/index.js10
2 files changed, 15 insertions, 11 deletions
diff --git a/lib/models/user.js b/lib/models/user.js
index bcf3c094..8da12b83 100644
--- a/lib/models/user.js
+++ b/lib/models/user.js
@@ -1,7 +1,7 @@
'use strict'
// external modules
var Sequelize = require('sequelize')
-var scrypt = require('@mlink/scrypt')
+var scrypt = require('scrypt-kdf')
// core
var logger = require('../logger')
@@ -46,11 +46,7 @@ module.exports = function (sequelize, DataTypes) {
}, {
instanceMethods: {
verifyPassword: function (attempt) {
- if (scrypt.verifyKdfSync(Buffer.from(this.password, 'hex'), attempt)) {
- return this
- } else {
- return false
- }
+ return scrypt.verify(Buffer.from(this.password, 'hex'), attempt)
}
},
classMethods: {
@@ -153,9 +149,11 @@ module.exports = function (sequelize, DataTypes) {
// suggested way to hash passwords to be able to do this asynchronously:
// @see https://github.com/sequelize/sequelize/issues/1821#issuecomment-44265819
if (!user.changed('password')) { return done() }
- const hash = scrypt.kdfSync(user.get('password'), scrypt.paramsSync(0.1)).toString('hex')
- user.setDataValue('password', hash)
- done()
+
+ scrypt.kdf(user.getDataValue('password'), { logN: 15 }).then(keyBuf => {
+ user.setDataValue('password', keyBuf.toString('hex'))
+ done()
+ })
}
User.beforeCreate(updatePasswordHashHook)
diff --git a/lib/web/auth/email/index.js b/lib/web/auth/email/index.js
index f7e58d46..daa4a8c5 100644
--- a/lib/web/auth/email/index.js
+++ b/lib/web/auth/email/index.js
@@ -23,8 +23,14 @@ passport.use(new LocalStrategy({
}
}).then(function (user) {
if (!user) return done(null, false)
- if (!user.verifyPassword(password)) return done(null, false)
- return done(null, user)
+ user.verifyPassword(password).then(verified => {
+ if (verified) {
+ return done(null, user)
+ } else {
+ logger.warn('invalid password given for %s', user.email)
+ return done(null, false)
+ }
+ })
}).catch(function (err) {
logger.error(err)
return done(err)