mirror of
https://github.com/filecoin-project/slate.git
synced 2024-11-29 16:54:09 +03:00
authentication: adds new secrets
This commit is contained in:
parent
1e4f488fbe
commit
2044b11803
@ -13,11 +13,14 @@ export const POSTGRES_ADMIN_USERNAME = process.env.POSTGRES_ADMIN_USERNAME;
|
||||
export const POSTGRES_HOSTNAME = process.env.POSTGRES_HOSTNAME;
|
||||
export const POSTGRES_DATABASE = process.env.POSTGRES_DATABASE;
|
||||
export const JWT_SECRET = process.env.JWT_SECRET;
|
||||
export const LOCAL_PASSWORD_ROUNDS_MANUAL =
|
||||
process.env.LOCAL_PASSWORD_ROUNDS_MANUAL;
|
||||
export const LOCAL_PASSWORD_ROUNDS = process.env.LOCAL_PASSWORD_ROUNDS;
|
||||
|
||||
// TODO(jim):
|
||||
// Brittle, don't let people know the number of times something is salted.
|
||||
// Not a big deal for testing at the moment.
|
||||
export const LOCAL_PASSWORD_SECRET = `$2b$13$${
|
||||
export const LOCAL_PASSWORD_SECRET = `$2b$${LOCAL_PASSWORD_ROUNDS}$${
|
||||
process.env.LOCAL_PASSWORD_SECRET
|
||||
}`;
|
||||
|
||||
|
@ -4,6 +4,7 @@ import * as Powergate from "~/node_common/powergate";
|
||||
import * as Constants from "~/node_common/constants";
|
||||
|
||||
import JWT from "jsonwebtoken";
|
||||
import BCrypt from "bcrypt";
|
||||
|
||||
import { Buckets } from "@textile/hub";
|
||||
import { Libp2pCryptoIdentity } from "@textile/threads-core";
|
||||
@ -37,6 +38,20 @@ export const getIdFromCookie = (req) => {
|
||||
return id;
|
||||
};
|
||||
|
||||
export const encryptPassword = async (text) => {
|
||||
if (!text) {
|
||||
return null;
|
||||
}
|
||||
|
||||
let hash = text;
|
||||
for (let i = 0; i < Environment.LOCAL_PASSWORD_ROUNDS_MANUAL; i++) {
|
||||
hash = await BCrypt.hash(hash, salt);
|
||||
}
|
||||
hash = await BCrypt.hash(hash, Environment.LOCAL_PASSWORD_SECRET);
|
||||
|
||||
return hash;
|
||||
};
|
||||
|
||||
export const parseAuthHeader = (value) => {
|
||||
if (typeof value !== "string") {
|
||||
return null;
|
||||
|
@ -2,7 +2,7 @@ import * as MW from "~/node_common/middleware";
|
||||
|
||||
const initCORS = MW.init(MW.CORS);
|
||||
|
||||
export default (req, res) => {
|
||||
export default async (req, res) => {
|
||||
initCORS(req, res);
|
||||
|
||||
return res
|
||||
|
@ -5,7 +5,6 @@ import * as Data from "~/node_common/data";
|
||||
import * as Strings from "~/common/strings";
|
||||
|
||||
import JWT from "jsonwebtoken";
|
||||
import BCrypt from "bcrypt";
|
||||
|
||||
const initCORS = MW.init(MW.CORS);
|
||||
|
||||
@ -42,14 +41,12 @@ export default async (req, res) => {
|
||||
.send({ decorator: "SERVER_SIGN_IN_USER_NOT_FOUND", error: true });
|
||||
}
|
||||
|
||||
const phaseOne = await BCrypt.hash(req.body.data.password, user.salt);
|
||||
const phaseTwo = await BCrypt.hash(phaseOne, user.salt);
|
||||
const phaseThree = await BCrypt.hash(
|
||||
phaseTwo,
|
||||
Environment.LOCAL_PASSWORD_SECRET
|
||||
const hash = await Utilities.encryptPassword(
|
||||
req.body.data.password,
|
||||
user.salt
|
||||
);
|
||||
|
||||
if (phaseThree !== user.password) {
|
||||
if (hash !== user.password) {
|
||||
return res
|
||||
.status(403)
|
||||
.send({ decorator: "SERVER_SIGN_IN_AUTH", error: true });
|
||||
|
@ -38,16 +38,13 @@ export default async (req, res) => {
|
||||
.send({ decorator: "SERVER_INVALID_PASSWORD", error: true });
|
||||
}
|
||||
|
||||
// TODO(jim): Do not expose how many times you are salting
|
||||
// in OSS, add a random value as an environment variable.
|
||||
const salt = await BCrypt.genSalt(13);
|
||||
const hash = await BCrypt.hash(req.body.data.password, salt);
|
||||
const double = await BCrypt.hash(hash, salt);
|
||||
const triple = await BCrypt.hash(double, Environment.LOCAL_PASSWORD_SECRET);
|
||||
|
||||
const rounds = Number(Environment.LOCAL_PASSWORD_ROUNDS);
|
||||
const salt = await BCrypt.genSalt(rounds);
|
||||
const hash = await Utilities.encryptPassword(req.body.data.password, salt);
|
||||
const pg = await Powergate.createNewToken();
|
||||
|
||||
// API
|
||||
// TODO(jim):
|
||||
// Single Key Textile Auth.
|
||||
const identity = await Libp2pCryptoIdentity.fromRandom();
|
||||
const api = identity.toString();
|
||||
|
||||
@ -60,7 +57,7 @@ export default async (req, res) => {
|
||||
} = await Utilities.getBucketAPIFromUserToken(api);
|
||||
|
||||
const user = await Data.createUser({
|
||||
password: triple,
|
||||
password: hash,
|
||||
salt,
|
||||
username: req.body.data.username.toLowerCase(),
|
||||
data: {
|
||||
|
@ -70,15 +70,14 @@ export default async (req, res) => {
|
||||
.json({ decorator: "SERVER_INVALID_PASSWORD", error: true });
|
||||
}
|
||||
|
||||
const salt = await BCrypt.genSalt(13);
|
||||
const hash = await BCrypt.hash(req.body.password, salt);
|
||||
const double = await BCrypt.hash(hash, salt);
|
||||
const triple = await BCrypt.hash(double, Environment.LOCAL_PASSWORD_SECRET);
|
||||
const rounds = Number(Environment.LOCAL_PASSWORD_ROUNDS);
|
||||
const salt = await BCrypt.genSalt(rounds);
|
||||
const hash = await Utilities.encryptPassword(req.body.password, salt);
|
||||
|
||||
await Data.updateUserById({
|
||||
id: user.id,
|
||||
salt,
|
||||
password: triple,
|
||||
password: hash,
|
||||
});
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user