serve.zone/onebox
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity

fix: use compiled-safe password hashing
Release / build-and-release (push) Successful in 2m34s
Details

Browse Source
This commit is contained in:
Jürgen Kunz
2026-05-08 16:36:58 +00:00
parent cc6a81012c
commit 201602b733
7 changed files with 95 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files
test/auth_test.ts
+7 -12
View File
@@ -5,8 +5,7 @@ import type { IUser as IDatabaseUser } from '../ts/types.ts';
import { AdminHandler } from '../ts/opsserver/handlers/admin.handler.ts';
import {
hashPassword,
isBcryptHash,
needsPasswordUpgrade,
isPbkdf2Hash,
verifyPassword,
} from '../ts/utils/auth.ts';
@@ -45,18 +44,14 @@ async function createAdminHandler(users: IDatabaseUser[]): Promise<AdminHandler>
return adminHandler;
}
Deno.test('password helpers support bcrypt and legacy password hashes', async () => {
Deno.test('password helpers support PBKDF2 password hashes', async () => {
const password = 'correct horse battery staple';
const bcryptHash = await hashPassword(password);
const passwordHash = await hashPassword(password);
assert(isBcryptHash(bcryptHash));
assert(await verifyPassword(password, bcryptHash));
assert(!(await verifyPassword('wrong password', bcryptHash)));
assert(!needsPasswordUpgrade(bcryptHash));
const legacyHash = btoa(password);
assert(await verifyPassword(password, legacyHash));
assert(needsPasswordUpgrade(legacyHash));
assert(isPbkdf2Hash(passwordHash));
assert(await verifyPassword(password, passwordHash));
assert(!(await verifyPassword('wrong password', passwordHash)));
assert(!(await verifyPassword(password, btoa(password))));
});
Deno.test('verified identity is derived from the signed JWT and database, not client fields', async () => {