Skip to content

fix: use sufficient computational effort for password hash #3422

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 27 commits into from
Jun 9, 2021
Merged

fix: use sufficient computational effort for password hash #3422

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
dd2cb16
chore: update CHANGELOG
jsjoeio May 19, 2021
cac6673
refactor: use bcrypt in hash function
jsjoeio May 19, 2021
17be8c5
refactor: use bcrypt in e2e setup
jsjoeio May 19, 2021
f35120c
feat: add unit test for hash function
jsjoeio May 19, 2021
aaf0447
refactor: add functions to check hash password
jsjoeio May 19, 2021
fc3326f
feat: add tests using real hashes
jsjoeio May 20, 2021
dc2db5c
chore: add argon2 package
jsjoeio Jun 2, 2021
51f8341
chore: update to argon2 in test
jsjoeio Jun 2, 2021
70197bb
refactor: use argon2 instead of bcrypt
jsjoeio Jun 2, 2021
fd3cb6c
refactor: update unit tests for hash fns
jsjoeio Jun 2, 2021
fcc3f0d
refactor: update login logic with new async hashing
jsjoeio Jun 2, 2021
0cdbd33
refactor: make authenticated async everywhere
jsjoeio Jun 2, 2021
91303d4
refactor: make ensureAuthenticated async
jsjoeio Jun 2, 2021
1134780
refactor: make wsProxy async
jsjoeio Jun 2, 2021
788b958
refactor: update hash fn in test config
jsjoeio Jun 2, 2021
ffa5c16
feat: update cli and test for hashed-password
jsjoeio Jun 2, 2021
7ff4117
feat: add getPasswordMethod & test for it
jsjoeio Jun 2, 2021
a14ea39
feat: add handlePasswordValidation + tests
jsjoeio Jun 2, 2021
409b473
refactor: rewrite password logic at /login
jsjoeio Jun 2, 2021
6020480
feat: add isCookieValid function and tests
jsjoeio Jun 3, 2021
923761c
refactor: password logic in http w/ isCookieValid
jsjoeio Jun 3, 2021
517aaf7
docs: update FAQ with new hashing instructions
jsjoeio Jun 3, 2021
531b7c0
feat: add splitOnFirstEquals function
jsjoeio Jun 3, 2021
8c2bb61
refactor: parse options with multiple = in cli
jsjoeio Jun 3, 2021
deaa224
feat: add npm_config_build_from_source to build scripts
jsjoeio Jun 7, 2021
3b50bfc
fix: sanitize password and cookie key
jsjoeio Jun 7, 2021
1e55a64
feat: check for empty str in isHashMatch
jsjoeio Jun 7, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
feat: add isCookieValid function and tests
  • Loading branch information
@jsjoeio
jsjoeio committed Jun 8, 2021
commit 6020480b308d359f6f6ee0b55038f6ef9e1bc673
25 changes: 25 additions & 0 deletions src/node/util.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -249,6 +249,31 @@ export async function handlePasswordValidation(
return passwordValidation
}

export type IsCookieValidArgs = {
passwordMethod: PasswordMethod
cookieKey: string
hashedPasswordFromArgs: string | undefined
passwordFromArgs: string | undefined
}

/** Checks if a req.cookies.key is valid using the PasswordMethod */
export async function isCookieValid(isCookieValidArgs: IsCookieValidArgs): Promise<boolean> {
let isValid = false
const { passwordFromArgs = "", cookieKey, hashedPasswordFromArgs = "" } = isCookieValidArgs
switch (isCookieValidArgs.passwordMethod) {
case "PLAIN_TEXT":
isValid = await isHashMatch(passwordFromArgs, cookieKey)
break
case "ARGON2":
case "SHA256":
isValid = safeCompare(cookieKey, hashedPasswordFromArgs)
break
default:
break
}
return isValid
}

const mimeTypes: { [key: string]: string } = {
".aac": "audio/x-aac",
".avi": "video/x-msvideo",
Expand Down
62 changes: 61 additions & 1 deletion test/unit/node/util.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import {
getPasswordMethod,
hashLegacy,
isHashLegacyMatch,
isCookieValid,
} from "../../../src/node/util"

describe("getEnvPaths", () => {
Expand Down Expand Up @@ -234,7 +235,7 @@ describe("getPasswordMethod", () => {
})
})

describe.only("handlePasswordValidation", () => {
describe("handlePasswordValidation", () => {
it("should return true with a hashedPassword for a PLAIN_TEXT password", async () => {
const p = "password"
const passwordValidation = await handlePasswordValidation({
Expand Down Expand Up @@ -322,3 +323,62 @@ describe.only("handlePasswordValidation", () => {
expect(matchesHash).toBe(false)
})
})

describe.only("isCookieValid", () => {
it("should be valid if hashed-password for SHA256 matches cookie.key", async () => {
const isValid = await isCookieValid({
passwordMethod: "SHA256",
cookieKey: "936a185caaa266bb9cbe981e9e05cb78cd732b0b3280eb944412bb6f8f8f07af",
hashedPasswordFromArgs: "936a185caaa266bb9cbe981e9e05cb78cd732b0b3280eb944412bb6f8f8f07af",
passwordFromArgs: undefined,
})
expect(isValid).toBe(true)
})
it("should be invalid if hashed-password for SHA256 does not match cookie.key", async () => {
const isValid = await isCookieValid({
passwordMethod: "SHA256",
cookieKey: "936a185caaa266bb9cbe981e9e05cb78cd732b0b3280eb9442bb6f8f8f07af",
hashedPasswordFromArgs: "936a185caaa266bb9cbe981e9e05cb78cd732b0b3280eb944412bb6f8f8f07af",
passwordFromArgs: undefined,
})
expect(isValid).toBe(false)
})
it("should be valid if hashed-password for ARGON2 matches cookie.key", async () => {
const isValid = await isCookieValid({
passwordMethod: "ARGON2",
cookieKey: "$argon2i$v=19$m=4096,t=3,p=1$0qR/o+0t00hsbJFQCKSfdQ$oFcM4rL6o+B7oxpuA4qlXubypbBPsf+8L531U7P9HYY",
hashedPasswordFromArgs:
"$argon2i$v=19$m=4096,t=3,p=1$0qR/o+0t00hsbJFQCKSfdQ$oFcM4rL6o+B7oxpuA4qlXubypbBPsf+8L531U7P9HYY",
passwordFromArgs: undefined,
})
expect(isValid).toBe(true)
})
it("should be invalid if hashed-password for ARGON2 does not match cookie.key", async () => {
const isValid = await isCookieValid({
passwordMethod: "ARGON2",
cookieKey: "$argon2i$v=19$m=4096,t=3,p=1$0qR/o+0t00hsbJFQCKSfdQ$oFcM4rL6o+B7oxpuA4qlXubypbBPsf+8L531U7P9H",
hashedPasswordFromArgs:
"$argon2i$v=19$m=4096,t=3,p=1$0qR/o+0t00hsbJFQCKSfdQ$oFcM4rL6o+B7oxpuA4qlXubypbBPsf+8L531U7P9HYY",
passwordFromArgs: undefined,
})
expect(isValid).toBe(false)
})
it("should be valid if password for PLAIN_TEXT matches cookie.key", async () => {
const isValid = await isCookieValid({
passwordMethod: "PLAIN_TEXT",
cookieKey: "$argon2i$v=19$m=4096,t=3,p=1$0qR/o+0t00hsbJFQCKSfdQ$oFcM4rL6o+B7oxpuA4qlXubypbBPsf+8L531U7P9HYY",
passwordFromArgs: "password",
hashedPasswordFromArgs: undefined,
})
expect(isValid).toBe(true)
})
it("should be invalid if hashed-password for PLAIN_TEXT does not match cookie.key", async () => {
const isValid = await isCookieValid({
passwordMethod: "PLAIN_TEXT",
cookieKey: "$argon2i$v=19$m=4096,t=3,p=1$0qR/o+0t00hsbJFQCKSfdQ$oFcM4rL6o+B7oxpuA4qlXubypbBPsf+8L531U7P9H",
passwordFromArgs: "password1234",
hashedPasswordFromArgs: undefined,
})
expect(isValid).toBe(false)
})
})