diff --git a/src/node/cli.ts b/src/node/cli.ts index 8278dfedb..39d38fb3d 100644 --- a/src/node/cli.ts +++ b/src/node/cli.ts @@ -114,7 +114,7 @@ const options: Options> = { "hashed-password": { type: "string", description: - "The password hashed with SHA-256 for password authentication (can only be passed in via $HASHED_PASSWORD or the config file). \n" + + "The password hashed with argon2 for password authentication (can only be passed in via $HASHED_PASSWORD or the config file). \n" + "Takes precedence over 'password'.", }, cert: { diff --git a/src/node/routes/login.ts b/src/node/routes/login.ts index 4d0420eba..eb9a775a6 100644 --- a/src/node/routes/login.ts +++ b/src/node/routes/login.ts @@ -5,7 +5,7 @@ import * as path from "path" import safeCompare from "safe-compare" import { rootPath } from "../constants" import { authenticated, getCookieDomain, redirect, replaceTemplates } from "../http" -import { hash, hashLegacy, humanPath, isHashLegacyMatch } from "../util" +import { hash, hashLegacy, humanPath, isHashLegacyMatch, isHashMatch } from "../util" export enum Cookie { Key = "key", @@ -72,6 +72,14 @@ router.post("/", async (req, res) => { throw new Error("Missing password") } + // this logic below is flawed + const theHash = await hash(req.body.password) + const hashedPassword = req.args["hashed-password"] || "" + const match = await isHashMatch(req.body.password, hashedPassword) + // console.log(`The actual hash: ${theHash}`) + // console.log(`hashed-password from config: ${hashedPassword}`) + // console.log(theHash, hashedPassword) + console.log(`is it a match??? ${match}`) if ( req.args["hashed-password"] ? isHashLegacyMatch(req.body.password, req.args["hashed-password"]) @@ -82,6 +90,7 @@ router.post("/", async (req, res) => { // using sha256 (the original hashing algorithm), we need to check the hashed-password in the req.args // TODO all of this logic should be cleaned up honestly. The current implementation only checks for a hashed-password // but doesn't check which algorithm they are using. + console.log(`What is this? ${req.args["hashed-password"]}`, Boolean(req.args["hashed-password"])) const hashedPassword = req.args["hashed-password"] ? hashLegacy(req.body.password) : await hash(req.body.password) // The hash does not add any actual security but we do it for // obfuscation purposes (and as a side effect it handles escaping). diff --git a/test/unit/cli.test.ts b/test/unit/cli.test.ts index 6d4fcafb1..340b1d796 100644 --- a/test/unit/cli.test.ts +++ b/test/unit/cli.test.ts @@ -305,8 +305,9 @@ describe("parser", () => { }) }) - it("should use env var hashed password", async () => { - process.env.HASHED_PASSWORD = "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" // test + it.only("should use env var hashed password", async () => { + process.env.HASHED_PASSWORD = + "$argon2i$v=19$m=4096,t=3,p=1$0qR/o+0t00hsbJFQCKSfdQ$oFcM4rL6o+B7oxpuA4qlXubypbBPsf+8L531U7P9HYY" // test const args = parse([]) expect(args).toEqual({ _: [], @@ -316,7 +317,8 @@ describe("parser", () => { expect(defaultArgs).toEqual({ ...defaults, _: [], - "hashed-password": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08", + "hashed-password": + "$argon2i$v=19$m=4096,t=3,p=1$0qR/o+0t00hsbJFQCKSfdQ$oFcM4rL6o+B7oxpuA4qlXubypbBPsf+8L531U7P9HYY", usingEnvHashedPassword: true, }) })