2018-09-07 15:56:11 +08:00
|
|
|
'use strict';
|
|
|
|
|
2018-09-21 16:25:55 +08:00
|
|
|
const bcrypt = require('bcryptjs');
|
|
|
|
const pbkdf2 = require('@phc/pbkdf2'); // see https://www.npmjs.com/package/@phc/pbkdf2
|
2020-10-08 15:50:51 +08:00
|
|
|
const unixcrypt = require('unixcrypt');
|
|
|
|
// unefficient but we are rehashing immediatelly after successful verification
|
|
|
|
const argon2 = require('argon2-browser');
|
2018-09-11 20:49:35 +08:00
|
|
|
// this crap is only needed to support legacy users imported from some older system
|
2018-09-21 16:25:55 +08:00
|
|
|
const cryptMD5 = require('./md5/cryptmd5').cryptMD5;
|
|
|
|
const consts = require('./consts');
|
2018-09-07 15:56:11 +08:00
|
|
|
|
|
|
|
// just pass hashing through to bcrypt
|
2019-07-12 16:19:46 +08:00
|
|
|
module.exports.hash = async password => {
|
2019-01-25 21:19:51 +08:00
|
|
|
password = (password || '').toString();
|
|
|
|
|
2018-09-21 16:25:55 +08:00
|
|
|
switch (consts.DEFAULT_HASH_ALGO) {
|
|
|
|
case 'pbkdf2':
|
2019-07-11 15:52:43 +08:00
|
|
|
return await pbkdf2.hash(password, {
|
|
|
|
iterations: consts.PDKDF2_ITERATIONS,
|
|
|
|
saltSize: consts.PDKDF2_SALT_SIZE,
|
|
|
|
digest: consts.PDKDF2_DIGEST
|
|
|
|
});
|
2018-09-21 16:25:55 +08:00
|
|
|
case 'bcrypt':
|
|
|
|
default:
|
2019-07-11 15:52:43 +08:00
|
|
|
return await bcrypt.hash(password, consts.BCRYPT_ROUNDS);
|
2018-09-21 16:25:55 +08:00
|
|
|
}
|
|
|
|
};
|
2018-09-07 15:56:11 +08:00
|
|
|
|
|
|
|
// compare against known hashing algos
|
2019-07-12 16:19:46 +08:00
|
|
|
module.exports.compare = async (password, hash) => {
|
2019-01-25 21:19:51 +08:00
|
|
|
password = (password || '').toString();
|
|
|
|
hash = (hash || '').toString();
|
|
|
|
|
2020-07-14 22:02:05 +08:00
|
|
|
let algo = checkHashSupport(hash);
|
|
|
|
if (!algo.result) {
|
|
|
|
throw new Error('Invalid algo: ' + JSON.stringify(algo.algo));
|
|
|
|
}
|
|
|
|
|
|
|
|
switch (algo.algo) {
|
|
|
|
case 'pbkdf2':
|
|
|
|
return await pbkdf2.verify(hash, password);
|
2020-10-08 15:50:51 +08:00
|
|
|
|
2020-07-14 22:02:05 +08:00
|
|
|
case 'bcrypt':
|
|
|
|
return await bcrypt.compare(password, hash);
|
2020-10-08 15:50:51 +08:00
|
|
|
|
2020-07-14 22:02:05 +08:00
|
|
|
case 'unixcrypt':
|
|
|
|
return await unixcryptCompareAsync(password, hash);
|
2020-10-08 15:50:51 +08:00
|
|
|
|
|
|
|
case 'argon2':
|
|
|
|
try {
|
|
|
|
// throws if does not match
|
|
|
|
await argon2.verify({
|
|
|
|
pass: password,
|
|
|
|
encoded: hash
|
|
|
|
});
|
|
|
|
} catch (err) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
|
2020-07-14 22:02:05 +08:00
|
|
|
case 'md5': {
|
|
|
|
let result;
|
|
|
|
|
|
|
|
let salt = hash.split('$')[2] || '';
|
|
|
|
result = cryptMD5(password, salt) === hash;
|
|
|
|
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
default:
|
|
|
|
throw new Error('Invalid algo: ' + JSON.stringify(algo));
|
|
|
|
}
|
|
|
|
};
|
|
|
|
|
|
|
|
function checkHashSupport(hash) {
|
|
|
|
hash = (hash || '').toString();
|
|
|
|
|
2019-01-25 21:19:51 +08:00
|
|
|
let algo = [].concat(hash.match(/^\$([^$]+)\$/) || [])[1];
|
|
|
|
algo = (algo || '').toString().toLowerCase();
|
2018-09-21 16:25:55 +08:00
|
|
|
|
2019-01-25 21:19:51 +08:00
|
|
|
switch (algo) {
|
2018-09-21 16:25:55 +08:00
|
|
|
case 'pbkdf2-sha512':
|
|
|
|
case 'pbkdf2-sha256':
|
|
|
|
case 'pbkdf2-sha1':
|
2020-07-14 22:02:05 +08:00
|
|
|
return { result: true, algo: 'pbkdf2' };
|
2018-09-07 15:56:11 +08:00
|
|
|
case '2a':
|
|
|
|
case '2b':
|
|
|
|
case '2y':
|
2020-07-14 22:02:05 +08:00
|
|
|
return { result: true, algo: 'bcrypt' };
|
2020-10-08 16:32:48 +08:00
|
|
|
case '6': // sha512crypt
|
|
|
|
case '5': // sha256crypt
|
2020-07-14 22:02:05 +08:00
|
|
|
return { result: true, algo: 'unixcrypt' };
|
2020-10-08 15:50:51 +08:00
|
|
|
|
|
|
|
case 'argon2d':
|
2020-10-08 15:57:26 +08:00
|
|
|
case 'argon2i':
|
2020-10-08 15:50:51 +08:00
|
|
|
case 'argon2id':
|
|
|
|
return { result: true, algo: 'argon2' };
|
|
|
|
|
2018-09-07 15:56:11 +08:00
|
|
|
case '1': {
|
2020-07-14 22:02:05 +08:00
|
|
|
return { result: true, algo: 'md5' };
|
2018-09-07 15:56:11 +08:00
|
|
|
}
|
|
|
|
default:
|
2020-07-14 22:02:05 +08:00
|
|
|
return { result: false, algo };
|
2018-09-07 15:56:11 +08:00
|
|
|
}
|
2020-10-08 15:50:51 +08:00
|
|
|
}
|
2018-09-21 16:25:55 +08:00
|
|
|
|
2020-07-14 22:02:05 +08:00
|
|
|
module.exports.checkHashSupport = checkHashSupport;
|
|
|
|
|
2018-09-21 16:25:55 +08:00
|
|
|
module.exports.shouldRehash = hash => {
|
2019-01-25 21:19:51 +08:00
|
|
|
hash = (hash || '').toString();
|
|
|
|
let algo = [].concat(hash.match(/^\$([^$]+)\$/) || [])[1];
|
|
|
|
algo = (algo || '').toString().toLowerCase();
|
2018-09-21 16:25:55 +08:00
|
|
|
|
2019-01-25 21:19:51 +08:00
|
|
|
switch (algo) {
|
2018-09-21 16:25:55 +08:00
|
|
|
case 'pbkdf2-sha512':
|
|
|
|
case 'pbkdf2-sha256':
|
|
|
|
case 'pbkdf2-sha1':
|
|
|
|
return consts.DEFAULT_HASH_ALGO !== 'pbkdf2';
|
|
|
|
|
|
|
|
case '2a':
|
|
|
|
case '2b':
|
|
|
|
case '2y':
|
|
|
|
return consts.DEFAULT_HASH_ALGO !== 'bcrypt';
|
2020-10-08 15:50:51 +08:00
|
|
|
|
|
|
|
// Always rehash the following algos
|
|
|
|
case '6': // sha512crypt
|
2020-10-08 16:32:48 +08:00
|
|
|
case '5': // sha256crypt
|
2020-10-08 15:50:51 +08:00
|
|
|
case '1': // md5
|
2020-10-08 15:57:26 +08:00
|
|
|
case 'argon2d': // Argon2 (mostly because we are using an inefficient implementation)
|
|
|
|
case 'argon2i':
|
2020-10-08 15:50:51 +08:00
|
|
|
case 'argon2id':
|
2020-07-14 03:02:07 +08:00
|
|
|
return true;
|
2018-09-21 16:25:55 +08:00
|
|
|
|
|
|
|
default:
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
};
|
2020-07-14 03:02:07 +08:00
|
|
|
|
|
|
|
async function unixcryptCompareAsync(password, hash) {
|
|
|
|
password = (password || '').toString();
|
|
|
|
hash = (hash || '').toString();
|
|
|
|
|
|
|
|
return unixcrypt.verify(password, hash);
|
2020-10-08 15:50:51 +08:00
|
|
|
}
|