From df666dd2140c8955765972230260d6e4bd5de42a Mon Sep 17 00:00:00 2001
From: Claudius
Date: Mon, 13 May 2019 10:55:37 +0200
Subject: getting password hashing into a hook where it could be async

Signed-off-by: Claudius <opensource@amenthes.de>
---
 lib/models/user.js | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

(limited to 'lib/models')

diff --git a/lib/models/user.js b/lib/models/user.js
index 648db73e..bcf3c094 100644
--- a/lib/models/user.js
+++ b/lib/models/user.js
@@ -5,7 +5,7 @@ var scrypt = require('@mlink/scrypt')
 
 // core
 var logger = require('../logger')
-var {generateAvatarURL} = require('../letter-avatars')
+var { generateAvatarURL } = require('../letter-avatars')
 
 module.exports = function (sequelize, DataTypes) {
   var User = sequelize.define('User', {
@@ -41,11 +41,7 @@ module.exports = function (sequelize, DataTypes) {
       }
     },
     password: {
-      type: Sequelize.TEXT,
-      set: function (value) {
-        var hash = scrypt.kdfSync(value, scrypt.paramsSync(0.1)).toString('hex')
-        this.setDataValue('password', hash)
-      }
+      type: Sequelize.TEXT
     }
   }, {
     instanceMethods: {
@@ -153,5 +149,17 @@ module.exports = function (sequelize, DataTypes) {
     }
   })
 
+  function updatePasswordHashHook (user, options, done) {
+    // suggested way to hash passwords to be able to do this asynchronously:
+    // @see https://github.com/sequelize/sequelize/issues/1821#issuecomment-44265819
+    if (!user.changed('password')) { return done() }
+    const hash = scrypt.kdfSync(user.get('password'), scrypt.paramsSync(0.1)).toString('hex')
+    user.setDataValue('password', hash)
+    done()
+  }
+
+  User.beforeCreate(updatePasswordHashHook)
+  User.beforeUpdate(updatePasswordHashHook)
+
   return User
 }
-- 
cgit v1.2.3


From 1d403e183d50001bf0f20113d15994007b14696b Mon Sep 17 00:00:00 2001
From: Claudius
Date: Mon, 13 May 2019 11:51:05 +0200
Subject: asyncified setting and verifying the password

Signed-off-by: Claudius <opensource@amenthes.de>
---
 lib/models/user.js | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

(limited to 'lib/models')

diff --git a/lib/models/user.js b/lib/models/user.js
index bcf3c094..8da12b83 100644
--- a/lib/models/user.js
+++ b/lib/models/user.js
@@ -1,7 +1,7 @@
 'use strict'
 // external modules
 var Sequelize = require('sequelize')
-var scrypt = require('@mlink/scrypt')
+var scrypt = require('scrypt-kdf')
 
 // core
 var logger = require('../logger')
@@ -46,11 +46,7 @@ module.exports = function (sequelize, DataTypes) {
   }, {
     instanceMethods: {
       verifyPassword: function (attempt) {
-        if (scrypt.verifyKdfSync(Buffer.from(this.password, 'hex'), attempt)) {
-          return this
-        } else {
-          return false
-        }
+        return scrypt.verify(Buffer.from(this.password, 'hex'), attempt)
       }
     },
     classMethods: {
@@ -153,9 +149,11 @@ module.exports = function (sequelize, DataTypes) {
     // suggested way to hash passwords to be able to do this asynchronously:
     // @see https://github.com/sequelize/sequelize/issues/1821#issuecomment-44265819
     if (!user.changed('password')) { return done() }
-    const hash = scrypt.kdfSync(user.get('password'), scrypt.paramsSync(0.1)).toString('hex')
-    user.setDataValue('password', hash)
-    done()
+
+    scrypt.kdf(user.getDataValue('password'), { logN: 15 }).then(keyBuf => {
+      user.setDataValue('password', keyBuf.toString('hex'))
+      done()
+    })
   }
 
   User.beforeCreate(updatePasswordHashHook)
-- 
cgit v1.2.3


From 4833f300c527b96cc5d6d16c605df8cf04d06c1d Mon Sep 17 00:00:00 2001
From: Claudius
Date: Mon, 13 May 2019 12:55:03 +0200
Subject: polyfilling scrypt for node 8.5+

Signed-off-by: Claudius <opensource@amenthes.de>
---
 lib/models/user.js | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

(limited to 'lib/models')

diff --git a/lib/models/user.js b/lib/models/user.js
index 8da12b83..76e20a32 100644
--- a/lib/models/user.js
+++ b/lib/models/user.js
@@ -1,11 +1,20 @@
 'use strict'
 // external modules
-var Sequelize = require('sequelize')
-var scrypt = require('scrypt-kdf')
+const Sequelize = require('sequelize')
+const crypto = require('crypto')
+if (!crypto.scrypt) {
+  // polyfill for node.js 8.0, see https://github.com/chrisveness/scrypt-kdf#openssl-implementation
+  const scryptAsync = require('scrypt-async')
+  crypto.scrypt = function (password, salt, keylen, options, callback) {
+    const opt = Object.assign({}, options, { dkLen: keylen })
+    scryptAsync(password, salt, opt, (derivedKey) => callback(null, Buffer.from(derivedKey)))
+  }
+}
+const scrypt = require('scrypt-kdf')
 
 // core
-var logger = require('../logger')
-var { generateAvatarURL } = require('../letter-avatars')
+const logger = require('../logger')
+const { generateAvatarURL } = require('../letter-avatars')
 
 module.exports = function (sequelize, DataTypes) {
   var User = sequelize.define('User', {
-- 
cgit v1.2.3