fixed password hashing in the UI

2025-09-08 15:44:25 +08:00 · 2022-09-06 00:01:41 +02:00 · 2022-09-06 00:01:41 +02:00 · 43ba2dde1c
commit 43ba2dde1c
parent 26b55494b5
4 changed files with 24 additions and 6 deletions
--- a/warpgate-admin/src/api/users.rs
+++ b/warpgate-admin/src/api/users.rs
@ -10,6 +10,7 @@ use sea_orm::{
 };
 use tokio::sync::Mutex;
 use uuid::Uuid;
+use warpgate_common::helpers::hash::{hash_password, parse_hash};
 use warpgate_common::{
    Role as RoleConfig, User as UserConfig, UserAuthCredential, UserRequireCredentialsPolicy,
    WarpgateError,
@ -155,10 +156,18 @@ impl DetailApi {
            return Ok(UpdateUserResponse::NotFound);
        };

+        let mut credentials = body.credentials.clone();
+        for credential in credentials.iter_mut() {
+            if let UserAuthCredential::Password(ref mut c) = credential {
+                if parse_hash(&c.hash.expose_secret()).is_err() {
+                    c.hash = hash_password(&c.hash.expose_secret()).into();
+                }
+            }
+        }
+
        let mut model: User::ActiveModel = user.into();
        model.username = Set(body.username.clone());
-        model.credentials =
-            Set(serde_json::to_value(body.credentials.clone()).map_err(WarpgateError::from)?);
+        model.credentials = Set(serde_json::to_value(credentials).map_err(WarpgateError::from)?);
        model.credential_policy =
            Set(serde_json::to_value(body.credential_policy.clone())
                .map_err(WarpgateError::from)?);
--- a/warpgate-common/src/helpers/hash.rs
+++ b/warpgate-common/src/helpers/hash.rs
@ -19,8 +19,12 @@ pub fn hash_password(password: &str) -> String {
        .to_string()
 }

+pub fn parse_hash(hash: &str) -> Result<PasswordHash<'_>, Error> {
+    PasswordHash::new(hash)
+}
+
 pub fn verify_password_hash(password: &str, hash: &str) -> Result<bool> {
-    let parsed_hash = PasswordHash::new(hash).map_err(|e| anyhow::anyhow!(e))?;
+    let parsed_hash = parse_hash(hash).map_err(|e| anyhow::anyhow!(e))?;
    match Argon2::default().verify_password(password.as_bytes(), &parsed_hash) {
        Ok(()) => Ok(true),
        Err(Error::Password) => Ok(false),
--- a/warpgate-web/src/admin/User.svelte
+++ b/warpgate-web/src/admin/User.svelte
@ -183,9 +183,8 @@ async function remove () {
        if (!editingCredential) {
            return
        }
-        if (!user.credentials.includes(editingCredential)) {
-            user.credentials.push(editingCredential)
-        }
+        user.credentials = user.credentials.filter(c => c !== editingCredential)
+        user.credentials.push(editingCredential)
        editingCredential = undefined
    }}
    cancel={() => editingCredential = undefined}
--- a/warpgate-web/src/admin/UserCredentialModal.svelte
+++ b/warpgate-web/src/admin/UserCredentialModal.svelte
@ -31,6 +31,12 @@ function _save () {
        }
        credential.hash = newPassword
    }
+    if (credential.kind === 'PublicKey') {
+        if (credential.key.includes(' ')) {
+            const parts = credential.key.split(' ').filter(x => x)
+            credential.key = `${parts[0]} ${parts[1]}`
+        }
+    }
    visible = false
    save()
 }