heartles/egirlskey
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

upd: swap bcrypt to argon2, add misskey-js to dev, auto load replies

Browse source
This commit is contained in:
Mar0xy 2023-09-22 00:21:57 +02:00
parent 03b5acf17f
commit 7111c6c90b
No known key found for this signature in database
GPG key ID: 56569BBE47D2C828
20 changed files with 105 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

3
packages/backend/package.json
View file

@ -58,7 +58,6 @@
"dependencies": {
"@aws-sdk/client-s3": "3.412.0",
"@aws-sdk/lib-storage": "3.412.0",
"@smithy/node-http-handler": "2.1.5",
"@bull-board/api": "5.8.4",
"@bull-board/fastify": "5.8.4",
"@bull-board/ui": "5.8.4",
@ -77,11 +76,13 @@
"@peertube/http-signature": "1.7.0",
"@simplewebauthn/server": "8.1.1",
"@sinonjs/fake-timers": "11.1.0",
"@smithy/node-http-handler": "2.1.5",
"@swc/cli": "0.1.62",
"@swc/core": "1.3.86",
"accepts": "1.3.8",
"ajv": "8.12.0",
"archiver": "6.0.1",
"argon2": "^0.31.1",
"async-mutex": "0.4.0",
"bcryptjs": "2.4.3",
"blurhash": "2.0.5",

7
packages/backend/src/core/CreateSystemUserService.ts
View file

@ -5,7 +5,8 @@
import { randomUUID } from 'node:crypto';
import { Inject, Injectable } from '@nestjs/common';
import bcrypt from 'bcryptjs';
import * as argon2 from 'argon2';
//import bcrypt from 'bcryptjs';
import { IsNull, DataSource } from 'typeorm';
import { genRsaKeyPair } from '@/misc/gen-key-pair.js';
import { MiUser } from '@/models/User.js';
@ -32,8 +33,8 @@ export class CreateSystemUserService {
const password = randomUUID();
// Generate hash of password
const salt = await bcrypt.genSalt(8);
const hash = await bcrypt.hash(password, salt);
//const salt = await bcrypt.genSalt(8);
const hash = await argon2.hash(password);
// Generate secret
const secret = generateNativeUserToken();

7
packages/backend/src/core/SignupService.ts
View file

@ -5,7 +5,8 @@
import { generateKeyPair } from 'node:crypto';
import { Inject, Injectable } from '@nestjs/common';
import bcrypt from 'bcryptjs';
//import bcrypt from 'bcryptjs';
import * as argon2 from 'argon2';
import { DataSource, IsNull } from 'typeorm';
import { DI } from '@/di-symbols.js';
import type { UsedUsernamesRepository, UsersRepository } from '@/models/_.js';
@ -64,8 +65,8 @@ export class SignupService {
}
// Generate hash of password
const salt = await bcrypt.genSalt(8);
hash = await bcrypt.hash(password, salt);
//const salt = await bcrypt.genSalt(8);
hash = await argon2.hash(password);
}
// Generate secret

5
packages/backend/src/server/api/SigninApiService.ts
View file

@ -4,7 +4,8 @@
*/
import { Inject, Injectable } from '@nestjs/common';
import bcrypt from 'bcryptjs';
//import bcrypt from 'bcryptjs';
import * as argon2 from 'argon2';
import * as OTPAuth from 'otpauth';
import { IsNull } from 'typeorm';
import { DI } from '@/di-symbols.js';
@ -121,7 +122,7 @@ export class SigninApiService {
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: user.id });
// Compare password
const same = await bcrypt.compare(password, profile.password!);
const same = await argon2.verify(profile.password!, password);
const fail = async (status?: number, failure?: { id: string }) => {
// Append signin history

7
packages/backend/src/server/api/SignupApiService.ts
View file

@ -4,7 +4,8 @@
*/
import { Inject, Injectable } from '@nestjs/common';
import bcrypt from 'bcryptjs';
//import bcrypt from 'bcryptjs';
import * as argon2 from 'argon2';
import { IsNull } from 'typeorm';
import { DI } from '@/di-symbols.js';
import type { RegistrationTicketsRepository, UsedUsernamesRepository, UserPendingsRepository, UserProfilesRepository, UsersRepository, MiRegistrationTicket } from '@/models/_.js';
@ -160,8 +161,8 @@ export class SignupApiService {
const code = secureRndstr(16, { chars: L_CHARS });
// Generate hash of password
const salt = await bcrypt.genSalt(8);
const hash = await bcrypt.hash(password, salt);
//const salt = await bcrypt.genSalt(8);
const hash = await argon2.hash(password);
const pendingUser = await this.userPendingsRepository.insert({
id: this.idService.genId(),

5
packages/backend/src/server/api/endpoints/admin/reset-password.ts
View file

@ -4,7 +4,8 @@
*/
import { Inject, Injectable } from '@nestjs/common';
import bcrypt from 'bcryptjs';
//import bcrypt from 'bcryptjs';
import * as argon2 from 'argon2';
import { Endpoint } from '@/server/api/endpoint-base.js';
import type { UsersRepository, UserProfilesRepository } from '@/models/_.js';
import { DI } from '@/di-symbols.js';
@ -61,7 +62,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
const passwd = secureRndstr(8);
// Generate hash of password
const hash = bcrypt.hashSync(passwd);
const hash = await argon2.hash(passwd);
await this.userProfilesRepository.update({
userId: user.id,

5
packages/backend/src/server/api/endpoints/i/2fa/key-done.ts
View file

@ -3,7 +3,8 @@
* SPDX-License-Identifier: AGPL-3.0-only
*/
import bcrypt from 'bcryptjs';
//import bcrypt from 'bcryptjs';
import * as argon2 from 'argon2';
import { Inject, Injectable } from '@nestjs/common';
import { Endpoint } from '@/server/api/endpoint-base.js';
import { UserEntityService } from '@/core/entities/UserEntityService.js';
@ -61,7 +62,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
// Compare password
const same = await bcrypt.compare(ps.password, profile.password ?? '');
const same = await argon2.verify(profile.password ?? '', ps.password);
if (!same) {
throw new ApiError(meta.errors.incorrectPassword);

5
packages/backend/src/server/api/endpoints/i/2fa/register-key.ts
View file

@ -3,7 +3,8 @@
* SPDX-License-Identifier: AGPL-3.0-only
*/
import bcrypt from 'bcryptjs';
//import bcrypt from 'bcryptjs';
import * as argon2 from 'argon2';
import { Inject, Injectable } from '@nestjs/common';
import { Endpoint } from '@/server/api/endpoint-base.js';
import type { UserProfilesRepository } from '@/models/_.js';
@ -67,7 +68,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
}
// Compare password
const same = await bcrypt.compare(ps.password, profile.password ?? '');
const same = await argon2.verify(profile.password ?? '', ps.password);
if (!same) {
throw new ApiError(meta.errors.incorrectPassword);

5
packages/backend/src/server/api/endpoints/i/2fa/register.ts
View file

@ -3,7 +3,8 @@
* SPDX-License-Identifier: AGPL-3.0-only
*/
import bcrypt from 'bcryptjs';
//import bcrypt from 'bcryptjs';
import * as argon2 from 'argon2';
import * as OTPAuth from 'otpauth';
import * as QRCode from 'qrcode';
import { Inject, Injectable } from '@nestjs/common';
@ -48,7 +49,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
// Compare password
const same = await bcrypt.compare(ps.password, profile.password ?? '');
const same = await argon2.verify(profile.password ?? '', ps.password);
if (!same) {
throw new ApiError(meta.errors.incorrectPassword);

5
packages/backend/src/server/api/endpoints/i/2fa/remove-key.ts
View file

@ -3,7 +3,8 @@
* SPDX-License-Identifier: AGPL-3.0-only
*/
import bcrypt from 'bcryptjs';
//import bcrypt from 'bcryptjs';
import * as argon2 from 'argon2';
import { Inject, Injectable } from '@nestjs/common';
import { Endpoint } from '@/server/api/endpoint-base.js';
import type { UserProfilesRepository, UserSecurityKeysRepository } from '@/models/_.js';
@ -51,7 +52,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
// Compare password
const same = await bcrypt.compare(ps.password, profile.password ?? '');
const same = await argon2.verify(profile.password ?? '', ps.password);
if (!same) {
throw new ApiError(meta.errors.incorrectPassword);

5
packages/backend/src/server/api/endpoints/i/2fa/unregister.ts
View file

@ -3,7 +3,8 @@
* SPDX-License-Identifier: AGPL-3.0-only
*/
import bcrypt from 'bcryptjs';
//import bcrypt from 'bcryptjs';
import * as argon2 from 'argon2';
import { Inject, Injectable } from '@nestjs/common';
import { Endpoint } from '@/server/api/endpoint-base.js';
import { UserEntityService } from '@/core/entities/UserEntityService.js';
@ -47,7 +48,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
// Compare password
const same = await bcrypt.compare(ps.password, profile.password ?? '');
const same = await argon2.verify(profile.password ?? '', ps.password);
if (!same) {
throw new ApiError(meta.errors.incorrectPassword);

2
packages/backend/src/server/api/endpoints/i/2fa/update-key.ts
View file

@ -3,7 +3,7 @@
* SPDX-License-Identifier: AGPL-3.0-only
*/
import bcrypt from 'bcryptjs';
//import bcrypt from 'bcryptjs';
import { Inject, Injectable } from '@nestjs/common';
import { Endpoint } from '@/server/api/endpoint-base.js';
import type { UserSecurityKeysRepository } from '@/models/_.js';

9
packages/backend/src/server/api/endpoints/i/change-password.ts
View file

@ -3,7 +3,8 @@
* SPDX-License-Identifier: AGPL-3.0-only
*/
import bcrypt from 'bcryptjs';
//import bcrypt from 'bcryptjs';
import * as argon2 from 'argon2';
import { Inject, Injectable } from '@nestjs/common';
import { Endpoint } from '@/server/api/endpoint-base.js';
import type { UserProfilesRepository } from '@/models/_.js';
@ -34,15 +35,15 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
// Compare password
const same = await bcrypt.compare(ps.currentPassword, profile.password!);
const same = await argon2.verify(profile.password!, ps.currentPassword);
if (!same) {
throw new Error('incorrect password');
}
// Generate hash of password
const salt = await bcrypt.genSalt(8);
const hash = await bcrypt.hash(ps.newPassword, salt);
//const salt = await bcrypt.genSalt(8);
const hash = await argon2.hash(ps.newPassword);
await this.userProfilesRepository.update(me.id, {
password: hash,

5
packages/backend/src/server/api/endpoints/i/delete-account.ts
View file

@ -3,7 +3,8 @@
* SPDX-License-Identifier: AGPL-3.0-only
*/
import bcrypt from 'bcryptjs';
//import bcrypt from 'bcryptjs';
import * as argon2 from 'argon2';
import { Inject, Injectable } from '@nestjs/common';
import type { UsersRepository, UserProfilesRepository } from '@/models/_.js';
import { Endpoint } from '@/server/api/endpoint-base.js';
@ -43,7 +44,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
}
// Compare password
const same = await bcrypt.compare(ps.password, profile.password!);
const same = await argon2.verify(profile.password!, ps.password);
if (!same) {
throw new Error('incorrect password');

5
packages/backend/src/server/api/endpoints/i/regenerate-token.ts
View file

@ -3,7 +3,8 @@
* SPDX-License-Identifier: AGPL-3.0-only
*/
import bcrypt from 'bcryptjs';
//import bcrypt from 'bcryptjs';
import * as argon2 from 'argon2';
import { Inject, Injectable } from '@nestjs/common';
import { Endpoint } from '@/server/api/endpoint-base.js';
import type { UsersRepository, UserProfilesRepository } from '@/models/_.js';
@ -43,7 +44,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
// Compare password
const same = await bcrypt.compare(ps.password, profile.password!);
const same = await argon2.verify(profile.password!, ps.password);
if (!same) {
throw new Error('incorrect password');

5
packages/backend/src/server/api/endpoints/i/update-email.ts
View file

@ -5,7 +5,8 @@
import { Inject, Injectable } from '@nestjs/common';
import ms from 'ms';
import bcrypt from 'bcryptjs';
//import bcrypt from 'bcryptjs';
import * as argon2 from 'argon2';
import { Endpoint } from '@/server/api/endpoint-base.js';
import type { UserProfilesRepository } from '@/models/_.js';
import { UserEntityService } from '@/core/entities/UserEntityService.js';
@ -67,7 +68,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
// Compare password
const same = await bcrypt.compare(ps.password, profile.password!);
const same = await argon2.verify(profile.password!, ps.password);
if (!same) {
throw new ApiError(meta.errors.incorrectPassword);

7
packages/backend/src/server/api/endpoints/reset-password.ts
View file

@ -3,7 +3,8 @@
* SPDX-License-Identifier: AGPL-3.0-only
*/
import bcrypt from 'bcryptjs';
//import bcrypt from 'bcryptjs';
import * as argon2 from 'argon2';
import { Inject, Injectable } from '@nestjs/common';
import type { UserProfilesRepository, PasswordResetRequestsRepository } from '@/models/_.js';
import { Endpoint } from '@/server/api/endpoint-base.js';
@ -50,8 +51,8 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
}
// Generate hash of password
const salt = await bcrypt.genSalt(8);
const hash = await bcrypt.hash(ps.password, salt);
//const salt = await bcrypt.genSalt(8);
const hash = await argon2.hash(ps.password);
await this.userProfilesRepository.update(req.userId, {
password: hash,