This commit is contained in:
@@ -2,7 +2,7 @@ import * as plugins from '../../plugins.ts';
|
||||
import { logger } from '../../logging.ts';
|
||||
import type { OpsServer } from '../classes.opsserver.ts';
|
||||
import * as interfaces from '../../../ts_interfaces/index.ts';
|
||||
import { hashPassword, needsPasswordUpgrade, verifyPassword } from '../../utils/auth.ts';
|
||||
import { hashPassword, verifyPassword } from '../../utils/auth.ts';
|
||||
|
||||
export interface IJwtData {
|
||||
userId: string;
|
||||
@@ -112,11 +112,6 @@ export class AdminHandler {
|
||||
throw new plugins.typedrequest.TypedResponseError('Invalid credentials');
|
||||
}
|
||||
|
||||
if (needsPasswordUpgrade(user.passwordHash)) {
|
||||
const upgradedHash = await hashPassword(dataArg.password);
|
||||
this.opsServerRef.oneboxRef.database.updateUserPassword(user.username, upgradedHash);
|
||||
}
|
||||
|
||||
const expiresAt = Date.now() + 24 * 3600 * 1000;
|
||||
const freshUser = this.opsServerRef.oneboxRef.database.getUserByUsername(user.username) || user;
|
||||
const identity = await this.createIdentityForUser(freshUser, expiresAt);
|
||||
|
||||
@@ -55,10 +55,6 @@ export const awsS3 = {
|
||||
import * as taskbuffer from '@push.rocks/taskbuffer';
|
||||
export { taskbuffer };
|
||||
|
||||
// Crypto utilities (for password hashing, encryption)
|
||||
import * as bcrypt from 'https://deno.land/x/bcrypt@v0.4.1/mod.ts';
|
||||
export { bcrypt };
|
||||
|
||||
// JWT for authentication
|
||||
import * as jwt from 'https://deno.land/x/djwt@v3.0.2/mod.ts';
|
||||
export { jwt};
|
||||
|
||||
+78
-12
@@ -1,17 +1,79 @@
|
||||
import * as plugins from '../plugins.ts';
|
||||
const pbkdf2HashPattern = /^pbkdf2-sha256\$(\d+)\$([A-Za-z0-9+/=]+)\$([A-Za-z0-9+/=]+)$/;
|
||||
const pbkdf2Iterations = 210_000;
|
||||
const pbkdf2KeyLengthBits = 256;
|
||||
|
||||
const bcryptHashPattern = /^\$2[abxy]\$\d\d\$/;
|
||||
const bytesToBase64 = (bytesArg: Uint8Array): string => {
|
||||
let binary = '';
|
||||
for (const byte of bytesArg) {
|
||||
binary += String.fromCharCode(byte);
|
||||
}
|
||||
return btoa(binary);
|
||||
};
|
||||
|
||||
export function isBcryptHash(passwordHash: string): boolean {
|
||||
return bcryptHashPattern.test(passwordHash);
|
||||
}
|
||||
const base64ToBytes = (base64Arg: string): Uint8Array => {
|
||||
const binary = atob(base64Arg);
|
||||
const bytes = new Uint8Array(binary.length);
|
||||
for (let i = 0; i < binary.length; i++) {
|
||||
bytes[i] = binary.charCodeAt(i);
|
||||
}
|
||||
return bytes;
|
||||
};
|
||||
|
||||
export function needsPasswordUpgrade(passwordHash: string): boolean {
|
||||
return !isBcryptHash(passwordHash);
|
||||
const timingSafeEqual = (aArg: Uint8Array, bArg: Uint8Array): boolean => {
|
||||
if (aArg.length !== bArg.length) {
|
||||
return false;
|
||||
}
|
||||
|
||||
let diff = 0;
|
||||
for (let i = 0; i < aArg.length; i++) {
|
||||
diff |= aArg[i] ^ bArg[i];
|
||||
}
|
||||
return diff === 0;
|
||||
};
|
||||
|
||||
const toArrayBuffer = (bytesArg: Uint8Array): ArrayBuffer => {
|
||||
return bytesArg.buffer.slice(
|
||||
bytesArg.byteOffset,
|
||||
bytesArg.byteOffset + bytesArg.byteLength,
|
||||
) as ArrayBuffer;
|
||||
};
|
||||
|
||||
const derivePasswordHash = async (
|
||||
passwordArg: string,
|
||||
saltArg: Uint8Array,
|
||||
iterationsArg: number,
|
||||
): Promise<Uint8Array> => {
|
||||
const key = await crypto.subtle.importKey(
|
||||
'raw',
|
||||
new TextEncoder().encode(passwordArg),
|
||||
'PBKDF2',
|
||||
false,
|
||||
['deriveBits'],
|
||||
);
|
||||
|
||||
const bits = await crypto.subtle.deriveBits(
|
||||
{
|
||||
name: 'PBKDF2',
|
||||
hash: 'SHA-256',
|
||||
salt: toArrayBuffer(saltArg),
|
||||
iterations: iterationsArg,
|
||||
},
|
||||
key,
|
||||
pbkdf2KeyLengthBits,
|
||||
);
|
||||
|
||||
return new Uint8Array(bits);
|
||||
};
|
||||
|
||||
export function isPbkdf2Hash(passwordHash: string): boolean {
|
||||
return pbkdf2HashPattern.test(passwordHash);
|
||||
}
|
||||
|
||||
export async function hashPassword(password: string): Promise<string> {
|
||||
return await plugins.bcrypt.hash(password);
|
||||
// Use Web Crypto only so compiled binaries do not depend on external worker files.
|
||||
const salt = crypto.getRandomValues(new Uint8Array(16));
|
||||
const hash = await derivePasswordHash(password, salt, pbkdf2Iterations);
|
||||
return `pbkdf2-sha256$${pbkdf2Iterations}$${bytesToBase64(salt)}$${bytesToBase64(hash)}`;
|
||||
}
|
||||
|
||||
export async function verifyPassword(password: string, passwordHash: string): Promise<boolean> {
|
||||
@@ -19,10 +81,14 @@ export async function verifyPassword(password: string, passwordHash: string): Pr
|
||||
return false;
|
||||
}
|
||||
|
||||
if (isBcryptHash(passwordHash)) {
|
||||
return await plugins.bcrypt.compare(password, passwordHash);
|
||||
const pbkdf2Match = passwordHash.match(pbkdf2HashPattern);
|
||||
if (pbkdf2Match) {
|
||||
const iterations = Number(pbkdf2Match[1]);
|
||||
const salt = base64ToBytes(pbkdf2Match[2]);
|
||||
const expectedHash = base64ToBytes(pbkdf2Match[3]);
|
||||
const actualHash = await derivePasswordHash(password, salt, iterations);
|
||||
return timingSafeEqual(actualHash, expectedHash);
|
||||
}
|
||||
|
||||
// Legacy compatibility for older databases that stored base64-encoded passwords.
|
||||
return passwordHash === btoa(password);
|
||||
return false;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user