Fix registration not using sCrypt for registration

pull/5/head
Trivernis 5 years ago
parent f966a87766
commit e6706ff950

@ -65,6 +65,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- sendRequest allowing duplicates - sendRequest allowing duplicates
- upload throwing an error when the old picture doesn't exist - upload throwing an error when the old picture doesn't exist
- extension of uploaded videos doesn't have a dot - extension of uploaded videos doesn't have a dot
- registration with empty username or password is possible
## [0.9] - 2019-10-29 ## [0.9] - 2019-10-29

@ -29,8 +29,9 @@ const scrKeyLength = 64;
/** /**
* Creates a random salt. * Creates a random salt.
*/ */
function generateSalt(): Buffer { function generateSalt(): string {
return crypto.randomBytes(32); const salt = crypto.randomBytes(32);
return Buffer.from(salt).toString("hex");
} }
/** /**
@ -58,11 +59,11 @@ function sha512HashPassword(password: string) {
* Generates a new handle from the username and a base64 string of the current time. * Generates a new handle from the username and a base64 string of the current time.
* @param username * @param username
*/ */
async function generateHandle(username: string) { async function generateHandle(username: string): Promise<string> {
username = username.toLowerCase().replace(/\s/g, "_"); username = username.toLowerCase().replace(/\s/g, "_");
const count = await models.User.count({where: {handle: {[sqz.Op.like]: `%${username}%`}}}); const count = await models.User.count({where: {handle: {[sqz.Op.like]: `%${username}%`}}});
if (count > 0) { if (count > 0) {
return `${username}${count}`; return await generateHandle(`${username}${count}`);
} else { } else {
return username; return username;
} }
@ -149,11 +150,11 @@ namespace dataaccess {
*/ */
export async function getUserByLogin(email: string, password: string): Promise<models.User> { export async function getUserByLogin(email: string, password: string): Promise<models.User> {
const user = await models.User.findOne({where: {email}}); const user = await models.User.findOne({where: {email}});
if (user) {
if (!user.salt) { if (!user.salt) {
const hashPassword = sha512HashPassword(password); const hashPassword = sha512HashPassword(password);
if (hashPassword === user.password) { if (hashPassword === user.password) {
const salt = generateSalt(); user.salt = generateSalt();
user.salt = Buffer.from(salt).toString("hex");
user.password = await scryptHashPassword(password, Buffer.from(user.salt)); user.password = await scryptHashPassword(password, Buffer.from(user.salt));
await user.save(); await user.save();
password = user.password; password = user.password;
@ -161,7 +162,6 @@ namespace dataaccess {
} else { } else {
password = await scryptHashPassword(password, Buffer.from(user.salt)); password = await scryptHashPassword(password, Buffer.from(user.salt));
} }
if (user) {
if (user.password === password) { if (user.password === password) {
return user; return user;
} else { } else {
@ -191,13 +191,12 @@ namespace dataaccess {
if (blacklisted.length > 0) { if (blacklisted.length > 0) {
throw new BlacklistedError(blacklisted.map((p) => p.phrase), "username"); throw new BlacklistedError(blacklisted.map((p) => p.phrase), "username");
} }
const hash = crypto.createHash("sha512");
hash.update(password);
password = hash.digest("hex");
const existResult = !!(await models.User.findOne({where: {email}})); const existResult = !!(await models.User.findOne({where: {email}}));
const handle = await generateHandle(username); const handle = await generateHandle(username);
if (!existResult) { if (!existResult) {
return models.User.create({username, email, password, handle}); const salt = generateSalt();
password = await scryptHashPassword(password, Buffer.from(salt));
return models.User.create({username, email, password, handle, salt});
} else { } else {
throw new EmailAlreadyRegisteredError(email); throw new EmailAlreadyRegisteredError(email);
} }

@ -31,6 +31,7 @@ import {
} from "../../lib/models"; } from "../../lib/models";
import {Report} from "../../lib/models"; import {Report} from "../../lib/models";
import {ReportReason} from "../../lib/models"; import {ReportReason} from "../../lib/models";
import {is} from "../../lib/regex";
import {UploadManager} from "../../lib/UploadManager"; import {UploadManager} from "../../lib/UploadManager";
import {BaseResolver} from "./BaseResolver"; import {BaseResolver} from "./BaseResolver";
@ -99,7 +100,10 @@ export class MutationResolver extends BaseResolver {
*/ */
public async register({username, email, passwordHash}: { username: string, email: string, passwordHash: string }, public async register({username, email, passwordHash}: { username: string, email: string, passwordHash: string },
request: any): Promise<User> { request: any): Promise<User> {
let mailValid = isEmail(email); if (username?.length === 0 || email?.length === 0 || passwordHash?.length === 0) {
throw new GraphQLError("No username or email or password given.");
}
let mailValid = is.email(email);
if (mailValid) { if (mailValid) {
try { try {
mailValid = (await legit(email)).isValid; mailValid = (await legit(email)).isValid;

Loading…
Cancel
Save