From fcc3f0d951954159c711f79e145b6c0f973b8370 Mon Sep 17 00:00:00 2001 From: Joe Previte Date: Wed, 2 Jun 2021 13:11:01 -0700 Subject: [PATCH] refactor: update login logic with new async hashing This adds the proper await logic for the hashing of passwords. --- src/node/routes/login.ts | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/node/routes/login.ts b/src/node/routes/login.ts index 59444fd2..ecbc1804 100644 --- a/src/node/routes/login.ts +++ b/src/node/routes/login.ts @@ -77,7 +77,12 @@ router.post("/", async (req, res) => { ? isHashLegacyMatch(req.body.password, req.args["hashed-password"]) : req.args.password && safeCompare(req.body.password, req.args.password) ) { - const hashedPassword = req.args["hashed-password"] ? hashLegacy(req.body.password) : hash(req.body.password) + // NOTE@jsjoeio: + // We store the hashed password as a cookie. In order to be backwards-comptabile for the folks + // using sha256 (the original hashing algorithm), we need to check the hashed-password in the req.args + // TODO all of this logic should be cleaned up honestly. The current implementation only checks for a hashed-password + // but doesn't check which algorithm they are using. + const hashedPassword = req.args["hashed-password"] ? hashLegacy(req.body.password) : await hash(req.body.password) // The hash does not add any actual security but we do it for // obfuscation purposes (and as a side effect it handles escaping). res.cookie(Cookie.Key, hashedPassword, {