OpenServer/OpenAuth_server
1
1
Fork 0
Code Issues Pull Requests Actions Releases Wiki Activity

Adding password salting

Browse Source
This commit is contained in:
Fabian Stamm
2020-02-07 19:31:00 +01:00
parent bfe53573f6
commit 416df84c8d
6 changed files with 170 additions and 2377 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/api/user/index.ts
View File

@ -49,6 +49,7 @@ UserRoute.post("/register", Register);
* @apiParam {String} username Username (either username or uid required)
* @apiParam {String} uid (either username or uid required)
* @apiParam {String} password Password hashed and salted like specification (only on type password)
* @apiParam {String | Number} time in milliseconds used to hash password. This is used to make passwords "expire"
*
* @apiSuccess {String} uid On type = "username"
* @apiSuccess {String} salt On type = "username"

15
src/api/user/login.ts
View File

@ -5,6 +5,8 @@ import moment = require("moment");
import LoginToken from "../../models/login_token";
import promiseMiddleware from "../../helper/promiseMiddleware";
import TwoFactor, { TFATypes, TFANames } from "../../models/twofactor";
import * as crypto from "crypto";
import Logging from "@hibas123/nodelogging";
const Login = promiseMiddleware(async (req: Request, res: Response) => {
let type = req.query.type;
@ -58,13 +60,22 @@ const Login = promiseMiddleware(async (req: Request, res: Response) => {
});
}
let { username, password, uid } = req.body;
let { username, password, uid, date } = req.body;
let user = await User.findOne(username ? { username: username.toLowerCase() } : { uid: uid })
if (!user) {
res.json({ error: req.__("User not found") })
} else {
if (user.password !== password) {
let upw = user.password;
if (date) {
if (!moment(date).isBetween(moment().subtract(1, "minute"), moment().add(1, "minute"))) {
res.json({ error: req.__("Invalid timestamp. Please check your devices time!") });
return;
} else {
upw = crypto.createHash("sha512").update(upw + date.toString()).digest("hex");
}
}
if (upw !== password) {
res.json({ error: req.__("Password or username wrong") })
} else {
let twofactor = await TwoFactor.find({ user: user._id, valid: true })