upd: rehash misskey passwords with argon2 on login
This commit is contained in:
parent
23515168c2
commit
e17dcd7814
1 changed files with 15 additions and 22 deletions
|
@ -4,9 +4,8 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
import { Inject, Injectable } from '@nestjs/common';
|
import { Inject, Injectable } from '@nestjs/common';
|
||||||
//import bcrypt from 'bcryptjs';
|
import bcrypt from 'bcryptjs';
|
||||||
import * as argon2 from 'argon2';
|
import * as argon2 from 'argon2';
|
||||||
import bcrypt from "bcryptjs";
|
|
||||||
import * as OTPAuth from 'otpauth';
|
import * as OTPAuth from 'otpauth';
|
||||||
import { IsNull } from 'typeorm';
|
import { IsNull } from 'typeorm';
|
||||||
import { DI } from '@/di-symbols.js';
|
import { DI } from '@/di-symbols.js';
|
||||||
|
@ -26,22 +25,7 @@ import { RateLimiterService } from './RateLimiterService.js';
|
||||||
import { SigninService } from './SigninService.js';
|
import { SigninService } from './SigninService.js';
|
||||||
import type { AuthenticationResponseJSON } from '@simplewebauthn/typescript-types';
|
import type { AuthenticationResponseJSON } from '@simplewebauthn/typescript-types';
|
||||||
import type { FastifyReply, FastifyRequest } from 'fastify';
|
import type { FastifyReply, FastifyRequest } from 'fastify';
|
||||||
async function hashPassword(password: string): Promise<string> {
|
|
||||||
return argon2.hash(password);
|
|
||||||
}
|
|
||||||
async function comparePassword(
|
|
||||||
password: string,
|
|
||||||
hash: string,
|
|
||||||
): Promise<boolean> {
|
|
||||||
if (isOldAlgorithm(hash)) return bcrypt.compare(password, hash);
|
|
||||||
|
|
||||||
return argon2.verify(hash, password);
|
|
||||||
}
|
|
||||||
|
|
||||||
function isOldAlgorithm(hash: string): boolean {
|
|
||||||
// bcrypt hashes start with $2[ab]$
|
|
||||||
return hash.startsWith("$2");
|
|
||||||
}
|
|
||||||
@Injectable()
|
@Injectable()
|
||||||
export class SigninApiService {
|
export class SigninApiService {
|
||||||
constructor(
|
constructor(
|
||||||
|
@ -140,11 +124,8 @@ export class SigninApiService {
|
||||||
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: user.id });
|
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: user.id });
|
||||||
|
|
||||||
// Compare password
|
// Compare password
|
||||||
const same = await comparePassword(password, profile.password!);
|
const same = await argon2.verify(profile.password!, password) || bcrypt.compareSync(password, profile.password!);
|
||||||
if (same && isOldAlgorithm(profile.password!)) {
|
|
||||||
profile.password = await hashPassword(password);
|
|
||||||
await this.userProfilesRepository.save(profile);
|
|
||||||
}
|
|
||||||
const fail = async (status?: number, failure?: { id: string }) => {
|
const fail = async (status?: number, failure?: { id: string }) => {
|
||||||
// Append signin history
|
// Append signin history
|
||||||
await this.signinsRepository.insert({
|
await this.signinsRepository.insert({
|
||||||
|
@ -161,6 +142,12 @@ export class SigninApiService {
|
||||||
|
|
||||||
if (!profile.twoFactorEnabled) {
|
if (!profile.twoFactorEnabled) {
|
||||||
if (same) {
|
if (same) {
|
||||||
|
if (profile.password!.startsWith('$2')) {
|
||||||
|
const newHash = await argon2.hash(password);
|
||||||
|
this.userProfilesRepository.update(user.id, {
|
||||||
|
password: newHash
|
||||||
|
});
|
||||||
|
}
|
||||||
return this.signinService.signin(request, reply, user);
|
return this.signinService.signin(request, reply, user);
|
||||||
} else {
|
} else {
|
||||||
return await fail(403, {
|
return await fail(403, {
|
||||||
|
@ -177,6 +164,12 @@ export class SigninApiService {
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
|
if (profile.password!.startsWith('$2')) {
|
||||||
|
const newHash = await argon2.hash(password);
|
||||||
|
this.userProfilesRepository.update(user.id, {
|
||||||
|
password: newHash
|
||||||
|
});
|
||||||
|
}
|
||||||
await this.userAuthService.twoFactorAuthenticate(profile, token);
|
await this.userAuthService.twoFactorAuthenticate(profile, token);
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
return await fail(403, {
|
return await fail(403, {
|
||||||
|
|
Loading…
Reference in a new issue