feat: update cli and test for hashed-password
This commit is contained in:
parent
788b958e20
commit
ffa5c16e51
@ -114,7 +114,7 @@ const options: Options<Required<Args>> = {
|
|||||||
"hashed-password": {
|
"hashed-password": {
|
||||||
type: "string",
|
type: "string",
|
||||||
description:
|
description:
|
||||||
"The password hashed with SHA-256 for password authentication (can only be passed in via $HASHED_PASSWORD or the config file). \n" +
|
"The password hashed with argon2 for password authentication (can only be passed in via $HASHED_PASSWORD or the config file). \n" +
|
||||||
"Takes precedence over 'password'.",
|
"Takes precedence over 'password'.",
|
||||||
},
|
},
|
||||||
cert: {
|
cert: {
|
||||||
|
@ -5,7 +5,7 @@ import * as path from "path"
|
|||||||
import safeCompare from "safe-compare"
|
import safeCompare from "safe-compare"
|
||||||
import { rootPath } from "../constants"
|
import { rootPath } from "../constants"
|
||||||
import { authenticated, getCookieDomain, redirect, replaceTemplates } from "../http"
|
import { authenticated, getCookieDomain, redirect, replaceTemplates } from "../http"
|
||||||
import { hash, hashLegacy, humanPath, isHashLegacyMatch } from "../util"
|
import { hash, hashLegacy, humanPath, isHashLegacyMatch, isHashMatch } from "../util"
|
||||||
|
|
||||||
export enum Cookie {
|
export enum Cookie {
|
||||||
Key = "key",
|
Key = "key",
|
||||||
@ -72,6 +72,14 @@ router.post("/", async (req, res) => {
|
|||||||
throw new Error("Missing password")
|
throw new Error("Missing password")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// this logic below is flawed
|
||||||
|
const theHash = await hash(req.body.password)
|
||||||
|
const hashedPassword = req.args["hashed-password"] || ""
|
||||||
|
const match = await isHashMatch(req.body.password, hashedPassword)
|
||||||
|
// console.log(`The actual hash: ${theHash}`)
|
||||||
|
// console.log(`hashed-password from config: ${hashedPassword}`)
|
||||||
|
// console.log(theHash, hashedPassword)
|
||||||
|
console.log(`is it a match??? ${match}`)
|
||||||
if (
|
if (
|
||||||
req.args["hashed-password"]
|
req.args["hashed-password"]
|
||||||
? isHashLegacyMatch(req.body.password, req.args["hashed-password"])
|
? isHashLegacyMatch(req.body.password, req.args["hashed-password"])
|
||||||
@ -82,6 +90,7 @@ router.post("/", async (req, res) => {
|
|||||||
// using sha256 (the original hashing algorithm), we need to check the hashed-password in the req.args
|
// using sha256 (the original hashing algorithm), we need to check the hashed-password in the req.args
|
||||||
// TODO all of this logic should be cleaned up honestly. The current implementation only checks for a hashed-password
|
// TODO all of this logic should be cleaned up honestly. The current implementation only checks for a hashed-password
|
||||||
// but doesn't check which algorithm they are using.
|
// but doesn't check which algorithm they are using.
|
||||||
|
console.log(`What is this? ${req.args["hashed-password"]}`, Boolean(req.args["hashed-password"]))
|
||||||
const hashedPassword = req.args["hashed-password"] ? hashLegacy(req.body.password) : await hash(req.body.password)
|
const hashedPassword = req.args["hashed-password"] ? hashLegacy(req.body.password) : await hash(req.body.password)
|
||||||
// The hash does not add any actual security but we do it for
|
// The hash does not add any actual security but we do it for
|
||||||
// obfuscation purposes (and as a side effect it handles escaping).
|
// obfuscation purposes (and as a side effect it handles escaping).
|
||||||
|
@ -305,8 +305,9 @@ describe("parser", () => {
|
|||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
it("should use env var hashed password", async () => {
|
it.only("should use env var hashed password", async () => {
|
||||||
process.env.HASHED_PASSWORD = "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" // test
|
process.env.HASHED_PASSWORD =
|
||||||
|
"$argon2i$v=19$m=4096,t=3,p=1$0qR/o+0t00hsbJFQCKSfdQ$oFcM4rL6o+B7oxpuA4qlXubypbBPsf+8L531U7P9HYY" // test
|
||||||
const args = parse([])
|
const args = parse([])
|
||||||
expect(args).toEqual({
|
expect(args).toEqual({
|
||||||
_: [],
|
_: [],
|
||||||
@ -316,7 +317,8 @@ describe("parser", () => {
|
|||||||
expect(defaultArgs).toEqual({
|
expect(defaultArgs).toEqual({
|
||||||
...defaults,
|
...defaults,
|
||||||
_: [],
|
_: [],
|
||||||
"hashed-password": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08",
|
"hashed-password":
|
||||||
|
"$argon2i$v=19$m=4096,t=3,p=1$0qR/o+0t00hsbJFQCKSfdQ$oFcM4rL6o+B7oxpuA4qlXubypbBPsf+8L531U7P9HYY",
|
||||||
usingEnvHashedPassword: true,
|
usingEnvHashedPassword: true,
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
Reference in New Issue
Block a user