authentication: adds new secrets

This commit is contained in:
@wwwjim 2020-08-10 22:15:39 -07:00
parent 1e4f488fbe
commit 2044b11803
6 changed files with 34 additions and 23 deletions

View File

@ -13,11 +13,14 @@ export const POSTGRES_ADMIN_USERNAME = process.env.POSTGRES_ADMIN_USERNAME;
export const POSTGRES_HOSTNAME = process.env.POSTGRES_HOSTNAME;
export const POSTGRES_DATABASE = process.env.POSTGRES_DATABASE;
export const JWT_SECRET = process.env.JWT_SECRET;
export const LOCAL_PASSWORD_ROUNDS_MANUAL =
process.env.LOCAL_PASSWORD_ROUNDS_MANUAL;
export const LOCAL_PASSWORD_ROUNDS = process.env.LOCAL_PASSWORD_ROUNDS;
// TODO(jim):
// Brittle, don't let people know the number of times something is salted.
// Not a big deal for testing at the moment.
export const LOCAL_PASSWORD_SECRET = `$2b$13$${
export const LOCAL_PASSWORD_SECRET = `$2b$${LOCAL_PASSWORD_ROUNDS}$${
process.env.LOCAL_PASSWORD_SECRET
}`;

View File

@ -4,6 +4,7 @@ import * as Powergate from "~/node_common/powergate";
import * as Constants from "~/node_common/constants";
import JWT from "jsonwebtoken";
import BCrypt from "bcrypt";
import { Buckets } from "@textile/hub";
import { Libp2pCryptoIdentity } from "@textile/threads-core";
@ -37,6 +38,20 @@ export const getIdFromCookie = (req) => {
return id;
};
export const encryptPassword = async (text) => {
if (!text) {
return null;
}
let hash = text;
for (let i = 0; i < Environment.LOCAL_PASSWORD_ROUNDS_MANUAL; i++) {
hash = await BCrypt.hash(hash, salt);
}
hash = await BCrypt.hash(hash, Environment.LOCAL_PASSWORD_SECRET);
return hash;
};
export const parseAuthHeader = (value) => {
if (typeof value !== "string") {
return null;

View File

@ -2,7 +2,7 @@ import * as MW from "~/node_common/middleware";
const initCORS = MW.init(MW.CORS);
export default (req, res) => {
export default async (req, res) => {
initCORS(req, res);
return res

View File

@ -5,7 +5,6 @@ import * as Data from "~/node_common/data";
import * as Strings from "~/common/strings";
import JWT from "jsonwebtoken";
import BCrypt from "bcrypt";
const initCORS = MW.init(MW.CORS);
@ -42,14 +41,12 @@ export default async (req, res) => {
.send({ decorator: "SERVER_SIGN_IN_USER_NOT_FOUND", error: true });
}
const phaseOne = await BCrypt.hash(req.body.data.password, user.salt);
const phaseTwo = await BCrypt.hash(phaseOne, user.salt);
const phaseThree = await BCrypt.hash(
phaseTwo,
Environment.LOCAL_PASSWORD_SECRET
const hash = await Utilities.encryptPassword(
req.body.data.password,
user.salt
);
if (phaseThree !== user.password) {
if (hash !== user.password) {
return res
.status(403)
.send({ decorator: "SERVER_SIGN_IN_AUTH", error: true });

View File

@ -38,16 +38,13 @@ export default async (req, res) => {
.send({ decorator: "SERVER_INVALID_PASSWORD", error: true });
}
// TODO(jim): Do not expose how many times you are salting
// in OSS, add a random value as an environment variable.
const salt = await BCrypt.genSalt(13);
const hash = await BCrypt.hash(req.body.data.password, salt);
const double = await BCrypt.hash(hash, salt);
const triple = await BCrypt.hash(double, Environment.LOCAL_PASSWORD_SECRET);
const rounds = Number(Environment.LOCAL_PASSWORD_ROUNDS);
const salt = await BCrypt.genSalt(rounds);
const hash = await Utilities.encryptPassword(req.body.data.password, salt);
const pg = await Powergate.createNewToken();
// API
// TODO(jim):
// Single Key Textile Auth.
const identity = await Libp2pCryptoIdentity.fromRandom();
const api = identity.toString();
@ -60,7 +57,7 @@ export default async (req, res) => {
} = await Utilities.getBucketAPIFromUserToken(api);
const user = await Data.createUser({
password: triple,
password: hash,
salt,
username: req.body.data.username.toLowerCase(),
data: {

View File

@ -70,15 +70,14 @@ export default async (req, res) => {
.json({ decorator: "SERVER_INVALID_PASSWORD", error: true });
}
const salt = await BCrypt.genSalt(13);
const hash = await BCrypt.hash(req.body.password, salt);
const double = await BCrypt.hash(hash, salt);
const triple = await BCrypt.hash(double, Environment.LOCAL_PASSWORD_SECRET);
const rounds = Number(Environment.LOCAL_PASSWORD_ROUNDS);
const salt = await BCrypt.genSalt(rounds);
const hash = await Utilities.encryptPassword(req.body.password, salt);
await Data.updateUserById({
id: user.id,
salt,
password: triple,
password: hash,
});
}