[BREAKING CHANGE] Improve security

author: syuilo <syuilotan@yahoo.co.jp> 2017-01-06 11:50:46 +0900
committer: syuilo <syuilotan@yahoo.co.jp> 2017-01-06 11:50:46 +0900
commit: 94582453820655d11cb6dff8ad62148742591103 (patch)
tree: 8f5daf00c67e0a536afce99c6dd248a65e741706 /src/api/endpoints/auth/accept.js
parent: Refactor: Extract isNativeToken method (diff)
download: misskey-94582453820655d11cb6dff8ad62148742591103.tar.gz
misskey-94582453820655d11cb6dff8ad62148742591103.tar.bz2
misskey-94582453820655d11cb6dff8ad62148742591103.zip
1 files changed, 14 insertions, 1 deletions
diff --git a/src/api/endpoints/auth/accept.js b/src/api/endpoints/auth/accept.js
index 7c45650c6b..9eb5d2e7e2 100644
--- a/src/api/endpoints/auth/accept.js
+++ b/src/api/endpoints/auth/accept.js
@@ -4,6 +4,8 @@
  * Module dependencies
  */
 import rndstr from 'rndstr';
+const crypto = require('crypto');
+import App from '../../models/app';
 import AuthSess from '../../models/auth-session';
 import Userkey from '../../models/userkey';
 
@@ -41,12 +43,23 @@ module.exports = (params, user) =>
 	});
 
 	if (exist === null) {
+		// Lookup app
+		const app = await App.findOne({
+			app_id: session.app_id
+		});
+
+		// Generate Hash
+		const sha512 = crypto.createHash('sha512');
+		sha512.update(key + app.secret);
+		const hash = sha512.digest('hex');
+
 		// Insert userkey doc
 		await Userkey.insert({
 			created_at: new Date(),
 			app_id: session.app_id,
 			user_id: user._id,
-			key: key
+			key: key,
+			hash: hash
 		});
 	}
author	syuilo <syuilotan@yahoo.co.jp>	2017-01-06 11:50:46 +0900
committer	syuilo <syuilotan@yahoo.co.jp>	2017-01-06 11:50:46 +0900
commit	94582453820655d11cb6dff8ad62148742591103 (patch)
tree	8f5daf00c67e0a536afce99c6dd248a65e741706 /src/api/endpoints/auth/accept.js
parent	Refactor: Extract isNativeToken method (diff)
download	misskey-94582453820655d11cb6dff8ad62148742591103.tar.gz misskey-94582453820655d11cb6dff8ad62148742591103.tar.bz2 misskey-94582453820655d11cb6dff8ad62148742591103.zip