diff options
| author | Mar0xy <marie@kaifa.ch> | 2023-09-27 21:46:56 +0200 |
|---|---|---|
| committer | Mar0xy <marie@kaifa.ch> | 2023-09-27 21:46:56 +0200 |
| commit | e17dcd7814558963b974b358f94ba68fb6f7d632 (patch) | |
| tree | fd1e6ef852170dd40a0f9c4b3657ddae8f475955 /packages/backend/src/server/api | |
| parent | chore: update readme (diff) | |
| download | sharkey-e17dcd7814558963b974b358f94ba68fb6f7d632.tar.gz sharkey-e17dcd7814558963b974b358f94ba68fb6f7d632.tar.bz2 sharkey-e17dcd7814558963b974b358f94ba68fb6f7d632.zip | |
upd: rehash misskey passwords with argon2 on login
Diffstat (limited to 'packages/backend/src/server/api')
| -rw-r--r-- | packages/backend/src/server/api/SigninApiService.ts | 37 |
1 files changed, 15 insertions, 22 deletions
diff --git a/packages/backend/src/server/api/SigninApiService.ts b/packages/backend/src/server/api/SigninApiService.ts index 687913731c..cd5623aa92 100644 --- a/packages/backend/src/server/api/SigninApiService.ts +++ b/packages/backend/src/server/api/SigninApiService.ts @@ -4,9 +4,8 @@ */ import { Inject, Injectable } from '@nestjs/common'; -//import bcrypt from 'bcryptjs'; +import bcrypt from 'bcryptjs'; import * as argon2 from 'argon2'; -import bcrypt from "bcryptjs"; import * as OTPAuth from 'otpauth'; import { IsNull } from 'typeorm'; import { DI } from '@/di-symbols.js'; @@ -26,22 +25,7 @@ import { RateLimiterService } from './RateLimiterService.js'; import { SigninService } from './SigninService.js'; import type { AuthenticationResponseJSON } from '@simplewebauthn/typescript-types'; import type { FastifyReply, FastifyRequest } from 'fastify'; -async function hashPassword(password: string): Promise<string> { - return argon2.hash(password); -} -async function comparePassword( - password: string, - hash: string, -): Promise<boolean> { - if (isOldAlgorithm(hash)) return bcrypt.compare(password, hash); - - return argon2.verify(hash, password); -} -function isOldAlgorithm(hash: string): boolean { - // bcrypt hashes start with $2[ab]$ - return hash.startsWith("$2"); -} @Injectable() export class SigninApiService { constructor( @@ -140,11 +124,8 @@ export class SigninApiService { const profile = await this.userProfilesRepository.findOneByOrFail({ userId: user.id }); // Compare password - const same = await comparePassword(password, profile.password!); - if (same && isOldAlgorithm(profile.password!)) { - profile.password = await hashPassword(password); - await this.userProfilesRepository.save(profile); - } + const same = await argon2.verify(profile.password!, password) || bcrypt.compareSync(password, profile.password!); + const fail = async (status?: number, failure?: { id: string }) => { // Append signin history await this.signinsRepository.insert({ @@ -161,6 +142,12 @@ export class SigninApiService { if (!profile.twoFactorEnabled) { if (same) { + if (profile.password!.startsWith('$2')) { + const newHash = await argon2.hash(password); + this.userProfilesRepository.update(user.id, { + password: newHash + }); + } return this.signinService.signin(request, reply, user); } else { return await fail(403, { @@ -177,6 +164,12 @@ export class SigninApiService { } try { + if (profile.password!.startsWith('$2')) { + const newHash = await argon2.hash(password); + this.userProfilesRepository.update(user.id, { + password: newHash + }); + } await this.userAuthService.twoFactorAuthenticate(profile, token); } catch (e) { return await fail(403, { |