Archived
1
0

fix(isHashMatch): check that hash starts with $

Previously, we used argon2 to verify the hash with the password.

If the hash didn't start with a $, then it would enter the catch block.

Now we check the hash before trying to verify it and we also throw an Error if
the verify fails.

This makes the isHashMatch function more robust.
This commit is contained in:
Joe Previte 2021-06-30 12:29:12 -07:00
parent e9d4f877f9
commit 7f12fab3ca
No known key found for this signature in database
GPG Key ID: 2C91590C6B742C24
2 changed files with 13 additions and 3 deletions

View File

@ -166,14 +166,13 @@ export const hash = async (password: string): Promise<string> => {
* Used to verify if the password matches the hash
*/
export const isHashMatch = async (password: string, hash: string) => {
if (password === "" || hash === "") {
if (password === "" || hash === "" || !hash.startsWith("$")) {
return false
}
try {
return await argon2.verify(hash, password)
} catch (error) {
logger.error(error)
return false
throw new Error(error)
}
}

View File

@ -189,6 +189,17 @@ describe("isHashMatch", () => {
const actual = await util.isHashMatch(password, _hash)
expect(actual).toBe(false)
})
it("should return false and not throw an error if the hash doesn't start with a $", async () => {
const password = "hellowpasssword"
const _hash = "n2i$v=19$m=4096,t=3,p=1$EAoczTxVki21JDfIZpTUxg$rkXgyrW4RDGoDYrxBFD4H2DlSMEhP4h+Api1hXnGnFY"
expect(async () => await util.isHashMatch(password, _hash)).not.toThrow()
expect(await util.isHashMatch(password, _hash)).toBe(false)
})
it("should reject the promise and throw if error", async () => {
const password = "hellowpasssword"
const _hash = "$ar2i"
expect(async () => await util.isHashMatch(password, _hash)).rejects.toThrow()
})
})
describe("hashLegacy", () => {