fix: use compiled-safe password hashing

changelog.md

@@ -1,5 +1,25 @@
 # Changelog
 
+## 2026-05-08 - 1.24.6 - fix(auth)
+
+avoid bcrypt worker crashes in compiled binaries during login and password creation
+
+- replace bcrypt password hashing with a Web Crypto PBKDF2 hash format
+- remove legacy password-hash fallbacks; existing deployments need their admin user hash updated
+
+## 2026-05-08 - 1.24.5 - fix(opsserver)
+
+start the OpsServer with typedserver custom routes registered through the UtilityWebsiteServer hook
+
+- fixes daemon startup with the current typedserver lifecycle
+- cap SmartProxy readiness waiting at 10 seconds during daemon startup
+
+## 2026-05-08 - 1.24.4 - fix(installer)
+
+avoid documenting a hardcoded initial admin password for fresh installs
+
+- update installer output to point operators to the service logs or `ONEBOX_ADMIN_PASSWORD` for initial credentials
+
 ## 2026-05-08 - 1.24.3 - fix(runtime)
 
 upgrade runtime dependencies and harden registry/shutdown behavior

deno.json

@@ -1,6 +1,6 @@
 {
   "name": "@serve.zone/onebox",
-  "version": "1.24.3",
+  "version": "1.24.6",
   "exports": "./mod.ts",
   "tasks": {
     "test": "deno test --allow-all test/",

install.sh

@@ -305,6 +305,6 @@ else
   echo "     onebox service add myapp --image nginx:latest --domain app.example.com"
   echo ""
   echo "  Web UI: http://localhost:3000"
-  echo "  Default credentials: admin / admin"
+  echo "  Initial admin credentials are written to the service logs unless ONEBOX_ADMIN_PASSWORD is set."
 fi
 echo ""

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@serve.zone/onebox",
-  "version": "1.24.3",
+  "version": "1.24.6",
   "description": "Self-hosted container platform with automatic SSL and DNS - a mini Heroku for single servers",
   "main": "mod.ts",
   "type": "module",

test/auth_test.ts

@@ -5,8 +5,7 @@ import type { IUser as IDatabaseUser } from '../ts/types.ts';
 import { AdminHandler } from '../ts/opsserver/handlers/admin.handler.ts';
 import {
   hashPassword,
-  isBcryptHash,
-  needsPasswordUpgrade,
+  isPbkdf2Hash,
   verifyPassword,
 } from '../ts/utils/auth.ts';
 
@@ -45,18 +44,14 @@ async function createAdminHandler(users: IDatabaseUser[]): Promise<AdminHandler>
   return adminHandler;
 }
 
-Deno.test('password helpers support bcrypt and legacy password hashes', async () => {
+Deno.test('password helpers support PBKDF2 password hashes', async () => {
   const password = 'correct horse battery staple';
-  const bcryptHash = await hashPassword(password);
+  const passwordHash = await hashPassword(password);
 
-  assert(isBcryptHash(bcryptHash));
-  assert(await verifyPassword(password, bcryptHash));
-  assert(!(await verifyPassword('wrong password', bcryptHash)));
-  assert(!needsPasswordUpgrade(bcryptHash));
-
-  const legacyHash = btoa(password);
-  assert(await verifyPassword(password, legacyHash));
-  assert(needsPasswordUpgrade(legacyHash));
+  assert(isPbkdf2Hash(passwordHash));
+  assert(await verifyPassword(password, passwordHash));
+  assert(!(await verifyPassword('wrong password', passwordHash)));
+  assert(!(await verifyPassword(password, btoa(password))));
 });
 
 Deno.test('verified identity is derived from the signed JWT and database, not client fields', async () => {

ts/classes/reverseproxy.ts

@@ -77,7 +77,7 @@ export class OneboxReverseProxy {
     if (status.running) {
       logger.info(`HTTPS already running on port ${this.httpsPort} via SmartProxy`);
     } else {
-      await this.smartProxy.start();
+      logger.warn('Skipping HTTPS reverse proxy startup because SmartProxy is not running');
     }
   }
 

ts/classes/smartproxy.ts

@@ -217,7 +217,7 @@ export class SmartProxyManager {
     return network.Id;
   }
 
-  private async waitForReady(maxAttempts = 120, intervalMs = 1000): Promise<void> {
+  private async waitForReady(maxAttempts = 10, intervalMs = 1000): Promise<void> {
     for (let i = 0; i < maxAttempts; i++) {
       try {
         const response = await fetch(`${this.adminUrl}/ready`);

ts/opsserver/classes.opsserver.ts

@@ -36,6 +36,7 @@ export class OpsServer {
       domain: 'localhost',
       feedMetadata: undefined,
       bundledContent: bundledFiles,
+      addCustomRoutes: async (typedserver) => this.registerCustomRoutes(typedserver),
     });
 
     // Chain typedrouters: server -> opsServer -> individual handlers
@@ -43,7 +44,6 @@ export class OpsServer {
 
     // Set up all handlers
     await this.setupHandlers();
-    this.registerCustomRoutes();
 
     await this.server.start(port);
     logger.success(`OpsServer started on http://localhost:${port}`);
@@ -73,18 +73,18 @@ export class OpsServer {
     logger.success('OpsServer TypedRequest handlers initialized');
   }
 
-  private registerCustomRoutes(): void {
-    this.server.typedserver.addRoute(
+  private registerCustomRoutes(typedserver: plugins.typedserver.TypedServer): void {
+    typedserver.addRoute(
       '/v2',
       'ALL',
       async (ctx) => this.oneboxRef.registry.handleRequest(ctx.request),
     );
-    this.server.typedserver.addRoute(
+    typedserver.addRoute(
       '/v2/*',
       'ALL',
       async (ctx) => this.oneboxRef.registry.handleRequest(ctx.request),
     );
-    this.server.typedserver.addRoute(
+    typedserver.addRoute(
       '/backups/:backupId/download',
       'GET',
       async (ctx) => {

ts/opsserver/handlers/admin.handler.ts

@@ -2,7 +2,7 @@ import * as plugins from '../../plugins.ts';
 import { logger } from '../../logging.ts';
 import type { OpsServer } from '../classes.opsserver.ts';
 import * as interfaces from '../../../ts_interfaces/index.ts';
-import { hashPassword, needsPasswordUpgrade, verifyPassword } from '../../utils/auth.ts';
+import { hashPassword, verifyPassword } from '../../utils/auth.ts';
 
 export interface IJwtData {
   userId: string;
@@ -112,11 +112,6 @@ export class AdminHandler {
               throw new plugins.typedrequest.TypedResponseError('Invalid credentials');
             }
 
-            if (needsPasswordUpgrade(user.passwordHash)) {
-              const upgradedHash = await hashPassword(dataArg.password);
-              this.opsServerRef.oneboxRef.database.updateUserPassword(user.username, upgradedHash);
-            }
-
             const expiresAt = Date.now() + 24 * 3600 * 1000;
             const freshUser = this.opsServerRef.oneboxRef.database.getUserByUsername(user.username) || user;
             const identity = await this.createIdentityForUser(freshUser, expiresAt);

ts/plugins.ts

@@ -55,10 +55,6 @@ export const awsS3 = {
 import * as taskbuffer from '@push.rocks/taskbuffer';
 export { taskbuffer };
 
-// Crypto utilities (for password hashing, encryption)
-import * as bcrypt from 'https://deno.land/x/bcrypt@v0.4.1/mod.ts';
-export { bcrypt };
-
 // JWT for authentication
 import * as jwt from 'https://deno.land/x/djwt@v3.0.2/mod.ts';
 export { jwt};

ts/utils/auth.ts

@@ -1,17 +1,79 @@
-import * as plugins from '../plugins.ts';
+const pbkdf2HashPattern = /^pbkdf2-sha256\$(\d+)\$([A-Za-z0-9+/=]+)\$([A-Za-z0-9+/=]+)$/;
+const pbkdf2Iterations = 210_000;
+const pbkdf2KeyLengthBits = 256;
 
-const bcryptHashPattern = /^\$2[abxy]\$\d\d\$/;
+const bytesToBase64 = (bytesArg: Uint8Array): string => {
+  let binary = '';
+  for (const byte of bytesArg) {
+    binary += String.fromCharCode(byte);
+  }
+  return btoa(binary);
+};
 
-export function isBcryptHash(passwordHash: string): boolean {
-  return bcryptHashPattern.test(passwordHash);
+const base64ToBytes = (base64Arg: string): Uint8Array => {
+  const binary = atob(base64Arg);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+};
+
+const timingSafeEqual = (aArg: Uint8Array, bArg: Uint8Array): boolean => {
+  if (aArg.length !== bArg.length) {
+    return false;
   }
 
-export function needsPasswordUpgrade(passwordHash: string): boolean {
-  return !isBcryptHash(passwordHash);
+  let diff = 0;
+  for (let i = 0; i < aArg.length; i++) {
+    diff |= aArg[i] ^ bArg[i];
+  }
+  return diff === 0;
+};
+
+const toArrayBuffer = (bytesArg: Uint8Array): ArrayBuffer => {
+  return bytesArg.buffer.slice(
+    bytesArg.byteOffset,
+    bytesArg.byteOffset + bytesArg.byteLength,
+  ) as ArrayBuffer;
+};
+
+const derivePasswordHash = async (
+  passwordArg: string,
+  saltArg: Uint8Array,
+  iterationsArg: number,
+): Promise<Uint8Array> => {
+  const key = await crypto.subtle.importKey(
+    'raw',
+    new TextEncoder().encode(passwordArg),
+    'PBKDF2',
+    false,
+    ['deriveBits'],
+  );
+
+  const bits = await crypto.subtle.deriveBits(
+    {
+      name: 'PBKDF2',
+      hash: 'SHA-256',
+      salt: toArrayBuffer(saltArg),
+      iterations: iterationsArg,
+    },
+    key,
+    pbkdf2KeyLengthBits,
+  );
+
+  return new Uint8Array(bits);
+};
+
+export function isPbkdf2Hash(passwordHash: string): boolean {
+  return pbkdf2HashPattern.test(passwordHash);
 }
 
 export async function hashPassword(password: string): Promise<string> {
-  return await plugins.bcrypt.hash(password);
+  // Use Web Crypto only so compiled binaries do not depend on external worker files.
+  const salt = crypto.getRandomValues(new Uint8Array(16));
+  const hash = await derivePasswordHash(password, salt, pbkdf2Iterations);
+  return `pbkdf2-sha256$${pbkdf2Iterations}$${bytesToBase64(salt)}$${bytesToBase64(hash)}`;
 }
 
 export async function verifyPassword(password: string, passwordHash: string): Promise<boolean> {
@@ -19,10 +81,14 @@ export async function verifyPassword(password: string, passwordHash: string): Pr
     return false;
   }
 
-  if (isBcryptHash(passwordHash)) {
-    return await plugins.bcrypt.compare(password, passwordHash);
+  const pbkdf2Match = passwordHash.match(pbkdf2HashPattern);
+  if (pbkdf2Match) {
+    const iterations = Number(pbkdf2Match[1]);
+    const salt = base64ToBytes(pbkdf2Match[2]);
+    const expectedHash = base64ToBytes(pbkdf2Match[3]);
+    const actualHash = await derivePasswordHash(password, salt, iterations);
+    return timingSafeEqual(actualHash, expectedHash);
   }
 
-  // Legacy compatibility for older databases that stored base64-encoded passwords.
-  return passwordHash === btoa(password);
+  return false;
 }