From e17dcd7814558963b974b358f94ba68fb6f7d632 Mon Sep 17 00:00:00 2001 From: Mar0xy Date: Wed, 27 Sep 2023 21:46:56 +0200 Subject: [PATCH] upd: rehash misskey passwords with argon2 on login --- .../src/server/api/SigninApiService.ts | 37 ++++++++----------- 1 file changed, 15 insertions(+), 22 deletions(-) diff --git a/packages/backend/src/server/api/SigninApiService.ts b/packages/backend/src/server/api/SigninApiService.ts index 687913731..cd5623aa9 100644 --- a/packages/backend/src/server/api/SigninApiService.ts +++ b/packages/backend/src/server/api/SigninApiService.ts @@ -4,9 +4,8 @@ */ import { Inject, Injectable } from '@nestjs/common'; -//import bcrypt from 'bcryptjs'; +import bcrypt from 'bcryptjs'; import * as argon2 from 'argon2'; -import bcrypt from "bcryptjs"; import * as OTPAuth from 'otpauth'; import { IsNull } from 'typeorm'; import { DI } from '@/di-symbols.js'; @@ -26,22 +25,7 @@ import { RateLimiterService } from './RateLimiterService.js'; import { SigninService } from './SigninService.js'; import type { AuthenticationResponseJSON } from '@simplewebauthn/typescript-types'; import type { FastifyReply, FastifyRequest } from 'fastify'; -async function hashPassword(password: string): Promise { - return argon2.hash(password); -} -async function comparePassword( - password: string, - hash: string, -): Promise { - if (isOldAlgorithm(hash)) return bcrypt.compare(password, hash); - return argon2.verify(hash, password); -} - -function isOldAlgorithm(hash: string): boolean { - // bcrypt hashes start with $2[ab]$ - return hash.startsWith("$2"); -} @Injectable() export class SigninApiService { constructor( @@ -140,11 +124,8 @@ export class SigninApiService { const profile = await this.userProfilesRepository.findOneByOrFail({ userId: user.id }); // Compare password - const same = await comparePassword(password, profile.password!); - if (same && isOldAlgorithm(profile.password!)) { - profile.password = await hashPassword(password); - await this.userProfilesRepository.save(profile); - } + const same = await argon2.verify(profile.password!, password) || bcrypt.compareSync(password, profile.password!); + const fail = async (status?: number, failure?: { id: string }) => { // Append signin history await this.signinsRepository.insert({ @@ -161,6 +142,12 @@ export class SigninApiService { if (!profile.twoFactorEnabled) { if (same) { + if (profile.password!.startsWith('$2')) { + const newHash = await argon2.hash(password); + this.userProfilesRepository.update(user.id, { + password: newHash + }); + } return this.signinService.signin(request, reply, user); } else { return await fail(403, { @@ -177,6 +164,12 @@ export class SigninApiService { } try { + if (profile.password!.startsWith('$2')) { + const newHash = await argon2.hash(password); + this.userProfilesRepository.update(user.id, { + password: newHash + }); + } await this.userAuthService.twoFactorAuthenticate(profile, token); } catch (e) { return await fail(403, {