From df666dd2140c8955765972230260d6e4bd5de42a Mon Sep 17 00:00:00 2001 From: Claudius Date: Mon, 13 May 2019 10:55:37 +0200 Subject: getting password hashing into a hook where it could be async Signed-off-by: Claudius --- lib/models/user.js | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) (limited to 'lib') diff --git a/lib/models/user.js b/lib/models/user.js index 648db73e..bcf3c094 100644 --- a/lib/models/user.js +++ b/lib/models/user.js @@ -5,7 +5,7 @@ var scrypt = require('@mlink/scrypt') // core var logger = require('../logger') -var {generateAvatarURL} = require('../letter-avatars') +var { generateAvatarURL } = require('../letter-avatars') module.exports = function (sequelize, DataTypes) { var User = sequelize.define('User', { @@ -41,11 +41,7 @@ module.exports = function (sequelize, DataTypes) { } }, password: { - type: Sequelize.TEXT, - set: function (value) { - var hash = scrypt.kdfSync(value, scrypt.paramsSync(0.1)).toString('hex') - this.setDataValue('password', hash) - } + type: Sequelize.TEXT } }, { instanceMethods: { @@ -153,5 +149,17 @@ module.exports = function (sequelize, DataTypes) { } }) + function updatePasswordHashHook (user, options, done) { + // suggested way to hash passwords to be able to do this asynchronously: + // @see https://github.com/sequelize/sequelize/issues/1821#issuecomment-44265819 + if (!user.changed('password')) { return done() } + const hash = scrypt.kdfSync(user.get('password'), scrypt.paramsSync(0.1)).toString('hex') + user.setDataValue('password', hash) + done() + } + + User.beforeCreate(updatePasswordHashHook) + User.beforeUpdate(updatePasswordHashHook) + return User } -- cgit v1.2.3 From 1d403e183d50001bf0f20113d15994007b14696b Mon Sep 17 00:00:00 2001 From: Claudius Date: Mon, 13 May 2019 11:51:05 +0200 Subject: asyncified setting and verifying the password Signed-off-by: Claudius --- lib/models/user.js | 16 +++++++--------- lib/web/auth/email/index.js | 10 ++++++++-- 2 files changed, 15 insertions(+), 11 deletions(-) (limited to 'lib') diff --git a/lib/models/user.js b/lib/models/user.js index bcf3c094..8da12b83 100644 --- a/lib/models/user.js +++ b/lib/models/user.js @@ -1,7 +1,7 @@ 'use strict' // external modules var Sequelize = require('sequelize') -var scrypt = require('@mlink/scrypt') +var scrypt = require('scrypt-kdf') // core var logger = require('../logger') @@ -46,11 +46,7 @@ module.exports = function (sequelize, DataTypes) { }, { instanceMethods: { verifyPassword: function (attempt) { - if (scrypt.verifyKdfSync(Buffer.from(this.password, 'hex'), attempt)) { - return this - } else { - return false - } + return scrypt.verify(Buffer.from(this.password, 'hex'), attempt) } }, classMethods: { @@ -153,9 +149,11 @@ module.exports = function (sequelize, DataTypes) { // suggested way to hash passwords to be able to do this asynchronously: // @see https://github.com/sequelize/sequelize/issues/1821#issuecomment-44265819 if (!user.changed('password')) { return done() } - const hash = scrypt.kdfSync(user.get('password'), scrypt.paramsSync(0.1)).toString('hex') - user.setDataValue('password', hash) - done() + + scrypt.kdf(user.getDataValue('password'), { logN: 15 }).then(keyBuf => { + user.setDataValue('password', keyBuf.toString('hex')) + done() + }) } User.beforeCreate(updatePasswordHashHook) diff --git a/lib/web/auth/email/index.js b/lib/web/auth/email/index.js index f7e58d46..daa4a8c5 100644 --- a/lib/web/auth/email/index.js +++ b/lib/web/auth/email/index.js @@ -23,8 +23,14 @@ passport.use(new LocalStrategy({ } }).then(function (user) { if (!user) return done(null, false) - if (!user.verifyPassword(password)) return done(null, false) - return done(null, user) + user.verifyPassword(password).then(verified => { + if (verified) { + return done(null, user) + } else { + logger.warn('invalid password given for %s', user.email) + return done(null, false) + } + }) }).catch(function (err) { logger.error(err) return done(err) -- cgit v1.2.3 From 4833f300c527b96cc5d6d16c605df8cf04d06c1d Mon Sep 17 00:00:00 2001 From: Claudius Date: Mon, 13 May 2019 12:55:03 +0200 Subject: polyfilling scrypt for node 8.5+ Signed-off-by: Claudius --- lib/models/user.js | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) (limited to 'lib') diff --git a/lib/models/user.js b/lib/models/user.js index 8da12b83..76e20a32 100644 --- a/lib/models/user.js +++ b/lib/models/user.js @@ -1,11 +1,20 @@ 'use strict' // external modules -var Sequelize = require('sequelize') -var scrypt = require('scrypt-kdf') +const Sequelize = require('sequelize') +const crypto = require('crypto') +if (!crypto.scrypt) { + // polyfill for node.js 8.0, see https://github.com/chrisveness/scrypt-kdf#openssl-implementation + const scryptAsync = require('scrypt-async') + crypto.scrypt = function (password, salt, keylen, options, callback) { + const opt = Object.assign({}, options, { dkLen: keylen }) + scryptAsync(password, salt, opt, (derivedKey) => callback(null, Buffer.from(derivedKey))) + } +} +const scrypt = require('scrypt-kdf') // core -var logger = require('../logger') -var { generateAvatarURL } = require('../letter-avatars') +const logger = require('../logger') +const { generateAvatarURL } = require('../letter-avatars') module.exports = function (sequelize, DataTypes) { var User = sequelize.define('User', { -- cgit v1.2.3