From 1d403e183d50001bf0f20113d15994007b14696b Mon Sep 17 00:00:00 2001
From: Claudius
Date: Mon, 13 May 2019 11:51:05 +0200
Subject: asyncified setting and verifying the password

Signed-off-by: Claudius <opensource@amenthes.de>
---
 lib/models/user.js          | 16 +++++++---------
 lib/web/auth/email/index.js | 10 ++++++++--
 2 files changed, 15 insertions(+), 11 deletions(-)

(limited to 'lib')

diff --git a/lib/models/user.js b/lib/models/user.js
index bcf3c094..8da12b83 100644
--- a/lib/models/user.js
+++ b/lib/models/user.js
@@ -1,7 +1,7 @@
 'use strict'
 // external modules
 var Sequelize = require('sequelize')
-var scrypt = require('@mlink/scrypt')
+var scrypt = require('scrypt-kdf')
 
 // core
 var logger = require('../logger')
@@ -46,11 +46,7 @@ module.exports = function (sequelize, DataTypes) {
   }, {
     instanceMethods: {
       verifyPassword: function (attempt) {
-        if (scrypt.verifyKdfSync(Buffer.from(this.password, 'hex'), attempt)) {
-          return this
-        } else {
-          return false
-        }
+        return scrypt.verify(Buffer.from(this.password, 'hex'), attempt)
       }
     },
     classMethods: {
@@ -153,9 +149,11 @@ module.exports = function (sequelize, DataTypes) {
     // suggested way to hash passwords to be able to do this asynchronously:
     // @see https://github.com/sequelize/sequelize/issues/1821#issuecomment-44265819
     if (!user.changed('password')) { return done() }
-    const hash = scrypt.kdfSync(user.get('password'), scrypt.paramsSync(0.1)).toString('hex')
-    user.setDataValue('password', hash)
-    done()
+
+    scrypt.kdf(user.getDataValue('password'), { logN: 15 }).then(keyBuf => {
+      user.setDataValue('password', keyBuf.toString('hex'))
+      done()
+    })
   }
 
   User.beforeCreate(updatePasswordHashHook)
diff --git a/lib/web/auth/email/index.js b/lib/web/auth/email/index.js
index f7e58d46..daa4a8c5 100644
--- a/lib/web/auth/email/index.js
+++ b/lib/web/auth/email/index.js
@@ -23,8 +23,14 @@ passport.use(new LocalStrategy({
     }
   }).then(function (user) {
     if (!user) return done(null, false)
-    if (!user.verifyPassword(password)) return done(null, false)
-    return done(null, user)
+    user.verifyPassword(password).then(verified => {
+      if (verified) {
+        return done(null, user)
+      } else {
+        logger.warn('invalid password given for %s', user.email)
+        return done(null, false)
+      }
+    })
   }).catch(function (err) {
     logger.error(err)
     return done(err)
-- 
cgit v1.2.3