feat: update cli and test for hashed-password

src/node/cli.ts

@@ -114,7 +114,7 @@ const options: Options<Required<Args>> = {
   "hashed-password": {
     type: "string",
     description:
-      "The password hashed with SHA-256 for password authentication (can only be passed in via $HASHED_PASSWORD or the config file). \n" +
+      "The password hashed with argon2 for password authentication (can only be passed in via $HASHED_PASSWORD or the config file). \n" +
       "Takes precedence over 'password'.",
   },
   cert: {

src/node/routes/login.ts

@@ -5,7 +5,7 @@ import * as path from "path"
 import safeCompare from "safe-compare"
 import { rootPath } from "../constants"
 import { authenticated, getCookieDomain, redirect, replaceTemplates } from "../http"
-import { hash, hashLegacy, humanPath, isHashLegacyMatch } from "../util"
+import { hash, hashLegacy, humanPath, isHashLegacyMatch, isHashMatch } from "../util"
 
 export enum Cookie {
   Key = "key",
@@ -72,6 +72,14 @@ router.post("/", async (req, res) => {
       throw new Error("Missing password")
     }
 
+    // this logic below is flawed
+    const theHash = await hash(req.body.password)
+    const hashedPassword = req.args["hashed-password"] || ""
+    const match = await isHashMatch(req.body.password, hashedPassword)
+    // console.log(`The actual hash: ${theHash}`)
+    // console.log(`hashed-password from config: ${hashedPassword}`)
+    // console.log(theHash, hashedPassword)
+    console.log(`is it a match??? ${match}`)
     if (
       req.args["hashed-password"]
         ? isHashLegacyMatch(req.body.password, req.args["hashed-password"])
@@ -82,6 +90,7 @@ router.post("/", async (req, res) => {
       // using sha256 (the original hashing algorithm), we need to check the hashed-password in the req.args
       // TODO all of this logic should be cleaned up honestly. The current implementation only checks for a hashed-password
       // but doesn't check which algorithm they are using.
+      console.log(`What is this? ${req.args["hashed-password"]}`, Boolean(req.args["hashed-password"]))
       const hashedPassword = req.args["hashed-password"] ? hashLegacy(req.body.password) : await hash(req.body.password)
       // The hash does not add any actual security but we do it for
       // obfuscation purposes (and as a side effect it handles escaping).

test/unit/cli.test.ts

@@ -305,8 +305,9 @@ describe("parser", () => {
     })
   })
 
-  it("should use env var hashed password", async () => {
+  it.only("should use env var hashed password", async () => {
-    process.env.HASHED_PASSWORD = "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" // test
+    process.env.HASHED_PASSWORD =
+      "$argon2i$v=19$m=4096,t=3,p=1$0qR/o+0t00hsbJFQCKSfdQ$oFcM4rL6o+B7oxpuA4qlXubypbBPsf+8L531U7P9HYY" // test
     const args = parse([])
     expect(args).toEqual({
       _: [],
@@ -316,7 +317,8 @@ describe("parser", () => {
     expect(defaultArgs).toEqual({
       ...defaults,
       _: [],
-      "hashed-password": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08",
+      "hashed-password":
+        "$argon2i$v=19$m=4096,t=3,p=1$0qR/o+0t00hsbJFQCKSfdQ$oFcM4rL6o+B7oxpuA4qlXubypbBPsf+8L531U7P9HYY",
       usingEnvHashedPassword: true,
     })
   })