refactor: rewrite password logic at /login
This commit is contained in:
parent
a14ea39c4a
commit
409b473c82
@ -5,7 +5,15 @@ import * as path from "path"
|
|||||||
import safeCompare from "safe-compare"
|
import safeCompare from "safe-compare"
|
||||||
import { rootPath } from "../constants"
|
import { rootPath } from "../constants"
|
||||||
import { authenticated, getCookieDomain, redirect, replaceTemplates } from "../http"
|
import { authenticated, getCookieDomain, redirect, replaceTemplates } from "../http"
|
||||||
import { hash, hashLegacy, humanPath, isHashLegacyMatch, isHashMatch } from "../util"
|
import {
|
||||||
|
getPasswordMethod,
|
||||||
|
handlePasswordValidation,
|
||||||
|
hash,
|
||||||
|
hashLegacy,
|
||||||
|
humanPath,
|
||||||
|
isHashLegacyMatch,
|
||||||
|
isHashMatch,
|
||||||
|
} from "../util"
|
||||||
|
|
||||||
export enum Cookie {
|
export enum Cookie {
|
||||||
Key = "key",
|
Key = "key",
|
||||||
@ -62,36 +70,28 @@ router.get("/", async (req, res) => {
|
|||||||
})
|
})
|
||||||
|
|
||||||
router.post("/", async (req, res) => {
|
router.post("/", async (req, res) => {
|
||||||
|
const password = req.body.password
|
||||||
|
const hashedPasswordFromArgs = req.args["hashed-password"]
|
||||||
|
|
||||||
try {
|
try {
|
||||||
// Check to see if they exceeded their login attempts
|
// Check to see if they exceeded their login attempts
|
||||||
if (!limiter.canTry()) {
|
if (!limiter.canTry()) {
|
||||||
throw new Error("Login rate limited!")
|
throw new Error("Login rate limited!")
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!req.body.password) {
|
if (!password) {
|
||||||
throw new Error("Missing password")
|
throw new Error("Missing password")
|
||||||
}
|
}
|
||||||
|
|
||||||
// this logic below is flawed
|
const passwordMethod = getPasswordMethod(hashedPasswordFromArgs)
|
||||||
const theHash = await hash(req.body.password)
|
const { isPasswordValid, hashedPassword } = await handlePasswordValidation({
|
||||||
const hashedPassword = req.args["hashed-password"] || ""
|
passwordMethod,
|
||||||
const match = await isHashMatch(req.body.password, hashedPassword)
|
hashedPasswordFromArgs,
|
||||||
// console.log(`The actual hash: ${theHash}`)
|
passwordFromRequestBody: password,
|
||||||
// console.log(`hashed-password from config: ${hashedPassword}`)
|
passwordFromArgs: req.args.password,
|
||||||
// console.log(theHash, hashedPassword)
|
})
|
||||||
console.log(`is it a match??? ${match}`)
|
|
||||||
if (
|
if (isPasswordValid) {
|
||||||
req.args["hashed-password"]
|
|
||||||
? isHashLegacyMatch(req.body.password, req.args["hashed-password"])
|
|
||||||
: req.args.password && safeCompare(req.body.password, req.args.password)
|
|
||||||
) {
|
|
||||||
// NOTE@jsjoeio:
|
|
||||||
// We store the hashed password as a cookie. In order to be backwards-comptabile for the folks
|
|
||||||
// using sha256 (the original hashing algorithm), we need to check the hashed-password in the req.args
|
|
||||||
// TODO all of this logic should be cleaned up honestly. The current implementation only checks for a hashed-password
|
|
||||||
// but doesn't check which algorithm they are using.
|
|
||||||
console.log(`What is this? ${req.args["hashed-password"]}`, Boolean(req.args["hashed-password"]))
|
|
||||||
const hashedPassword = req.args["hashed-password"] ? hashLegacy(req.body.password) : await hash(req.body.password)
|
|
||||||
// The hash does not add any actual security but we do it for
|
// The hash does not add any actual security but we do it for
|
||||||
// obfuscation purposes (and as a side effect it handles escaping).
|
// obfuscation purposes (and as a side effect it handles escaping).
|
||||||
res.cookie(Cookie.Key, hashedPassword, {
|
res.cookie(Cookie.Key, hashedPassword, {
|
||||||
|
Reference in New Issue
Block a user