wildduck/lib/hashes.js

'use strict';

const bcrypt = require('bcryptjs');
const pbkdf2 = require('@phc/pbkdf2'); // see https://www.npmjs.com/package/@phc/pbkdf2
// this crap is only needed to support legacy users imported from some older system
const cryptMD5 = require('./md5/cryptmd5').cryptMD5;
const consts = require('./consts');

// just pass hashing through to bcrypt
module.exports.asyncHash = async password => {
    password = (password || '').toString();

    switch (consts.DEFAULT_HASH_ALGO) {
        case 'pbkdf2':
            return await pbkdf2.hash(password, {
                iterations: consts.PDKDF2_ITERATIONS,
                saltSize: consts.PDKDF2_SALT_SIZE,
                digest: consts.PDKDF2_DIGEST
            });
        case 'bcrypt':
        default:
            return await bcrypt.hash(password, consts.BCRYPT_ROUNDS);
    }
};

module.exports.hash = (password, callback) => {
    module.exports
        .asyncHash(password)
        .then(hash => callback(null, hash))
        .catch(callback);
};

// compare against known hashing algos
module.exports.asyncCompare = async (password, hash) => {
    password = (password || '').toString();
    hash = (hash || '').toString();

    let algo = [].concat(hash.match(/^\$([^$]+)\$/) || [])[1];
    algo = (algo || '').toString().toLowerCase();

    switch (algo) {
        case 'pbkdf2-sha512':
        case 'pbkdf2-sha256':
        case 'pbkdf2-sha1':
            return await pbkdf2.verify(hash, password);

        case '2a':
        case '2b':
        case '2y':
            return await bcrypt.compare(password, hash);

        case '1': {
            let result;

            let salt = hash.split('$')[2] || '';
            result = cryptMD5(password, salt) === hash;

            return result;
        }
        default:
            throw new Error('Invalid algo: ' + JSON.stringify(algo));
    }
};

module.exports.compare = (password, hash, callback) => {
    module.exports
        .asyncCompare(password, hash)
        .then(result => callback(null, result))
        .catch(callback);
};

module.exports.shouldRehash = hash => {
    hash = (hash || '').toString();
    let algo = [].concat(hash.match(/^\$([^$]+)\$/) || [])[1];
    algo = (algo || '').toString().toLowerCase();

    switch (algo) {
        case 'pbkdf2-sha512':
        case 'pbkdf2-sha256':
        case 'pbkdf2-sha1':
            return consts.DEFAULT_HASH_ALGO !== 'pbkdf2';

        case '2a':
        case '2b':
        case '2y':
            return consts.DEFAULT_HASH_ALGO !== 'bcrypt';

        case '1': {
            return consts.DEFAULT_HASH_ALGO !== 'md5-crypt';
        }

        default:
            return false;
    }
};
Allow using password hashes 2018-09-07 15:56:11 +08:00			`'use strict';`

use pbkdf2 as default password hash (uses native module), added disabled property for filter API 2018-09-21 16:25:55 +08:00			`const bcrypt = require('bcryptjs');`
			`const pbkdf2 = require('@phc/pbkdf2'); // see https://www.npmjs.com/package/@phc/pbkdf2`
updated md5 hash handling 2018-09-11 20:49:35 +08:00			`// this crap is only needed to support legacy users imported from some older system`
use pbkdf2 as default password hash (uses native module), added disabled property for filter API 2018-09-21 16:25:55 +08:00			`const cryptMD5 = require('./md5/cryptmd5').cryptMD5;`
			`const consts = require('./consts');`
Allow using password hashes 2018-09-07 15:56:11 +08:00
			`// just pass hashing through to bcrypt`
starting asyncifying 2019-07-11 15:52:43 +08:00			`module.exports.asyncHash = async password => {`
bumped deps 2019-01-25 21:19:51 +08:00			`password = (password \|\| '').toString();`

use pbkdf2 as default password hash (uses native module), added disabled property for filter API 2018-09-21 16:25:55 +08:00			`switch (consts.DEFAULT_HASH_ALGO) {`
			`case 'pbkdf2':`
starting asyncifying 2019-07-11 15:52:43 +08:00			`return await pbkdf2.hash(password, {`
			`iterations: consts.PDKDF2_ITERATIONS,`
			`saltSize: consts.PDKDF2_SALT_SIZE,`
			`digest: consts.PDKDF2_DIGEST`
			`});`
use pbkdf2 as default password hash (uses native module), added disabled property for filter API 2018-09-21 16:25:55 +08:00			`case 'bcrypt':`
			`default:`
starting asyncifying 2019-07-11 15:52:43 +08:00			`return await bcrypt.hash(password, consts.BCRYPT_ROUNDS);`
use pbkdf2 as default password hash (uses native module), added disabled property for filter API 2018-09-21 16:25:55 +08:00			`}`
			`};`
Allow using password hashes 2018-09-07 15:56:11 +08:00
starting asyncifying 2019-07-11 15:52:43 +08:00			`module.exports.hash = (password, callback) => {`
			`module.exports`
			`.asyncHash(password)`
			`.then(hash => callback(null, hash))`
			`.catch(callback);`
			`};`

Allow using password hashes 2018-09-07 15:56:11 +08:00			`// compare against known hashing algos`
starting asyncifying 2019-07-11 15:52:43 +08:00			`module.exports.asyncCompare = async (password, hash) => {`
bumped deps 2019-01-25 21:19:51 +08:00			`password = (password \|\| '').toString();`
			`hash = (hash \|\| '').toString();`

			`let algo = [].concat(hash.match(/^\$([^$]+)\$/) \|\| [])[1];`
			`algo = (algo \|\| '').toString().toLowerCase();`
use pbkdf2 as default password hash (uses native module), added disabled property for filter API 2018-09-21 16:25:55 +08:00
bumped deps 2019-01-25 21:19:51 +08:00			`switch (algo) {`
use pbkdf2 as default password hash (uses native module), added disabled property for filter API 2018-09-21 16:25:55 +08:00			`case 'pbkdf2-sha512':`
			`case 'pbkdf2-sha256':`
			`case 'pbkdf2-sha1':`
starting asyncifying 2019-07-11 15:52:43 +08:00			`return await pbkdf2.verify(hash, password);`
use pbkdf2 as default password hash (uses native module), added disabled property for filter API 2018-09-21 16:25:55 +08:00
Allow using password hashes 2018-09-07 15:56:11 +08:00			`case '2a':`
			`case '2b':`
			`case '2y':`
starting asyncifying 2019-07-11 15:52:43 +08:00			`return await bcrypt.compare(password, hash);`
use pbkdf2 as default password hash (uses native module), added disabled property for filter API 2018-09-21 16:25:55 +08:00
Allow using password hashes 2018-09-07 15:56:11 +08:00			`case '1': {`
			`let result;`
starting asyncifying 2019-07-11 15:52:43 +08:00
			`let salt = hash.split('$')[2] \|\| '';`
			`result = cryptMD5(password, salt) === hash;`

			`return result;`
Allow using password hashes 2018-09-07 15:56:11 +08:00			`}`
			`default:`
starting asyncifying 2019-07-11 15:52:43 +08:00			`throw new Error('Invalid algo: ' + JSON.stringify(algo));`
Allow using password hashes 2018-09-07 15:56:11 +08:00			`}`
			`};`
use pbkdf2 as default password hash (uses native module), added disabled property for filter API 2018-09-21 16:25:55 +08:00
starting asyncifying 2019-07-11 15:52:43 +08:00			`module.exports.compare = (password, hash, callback) => {`
			`module.exports`
			`.asyncCompare(password, hash)`
			`.then(result => callback(null, result))`
			`.catch(callback);`
			`};`

use pbkdf2 as default password hash (uses native module), added disabled property for filter API 2018-09-21 16:25:55 +08:00			`module.exports.shouldRehash = hash => {`
bumped deps 2019-01-25 21:19:51 +08:00			`hash = (hash \|\| '').toString();`
			`let algo = [].concat(hash.match(/^\$([^$]+)\$/) \|\| [])[1];`
			`algo = (algo \|\| '').toString().toLowerCase();`
use pbkdf2 as default password hash (uses native module), added disabled property for filter API 2018-09-21 16:25:55 +08:00
bumped deps 2019-01-25 21:19:51 +08:00			`switch (algo) {`
use pbkdf2 as default password hash (uses native module), added disabled property for filter API 2018-09-21 16:25:55 +08:00			`case 'pbkdf2-sha512':`
			`case 'pbkdf2-sha256':`
			`case 'pbkdf2-sha1':`
			`return consts.DEFAULT_HASH_ALGO !== 'pbkdf2';`

			`case '2a':`
			`case '2b':`
			`case '2y':`
			`return consts.DEFAULT_HASH_ALGO !== 'bcrypt';`

			`case '1': {`
			`return consts.DEFAULT_HASH_ALGO !== 'md5-crypt';`
			`}`

			`default:`
			`return false;`
			`}`
			`};`