feat: update cli and test for hashed-password

ffa5c16e · Joe Previte · 788b958e · ffa5c16e · ffa5c16e · ffa5c16e
显示空白变更内容
内联并排

Showing with 16 addition and 5 deletion

src/node/cli.ts src/node/cli.ts +1 -1

src/node/routes/login.ts src/node/routes/login.ts +10 -1

test/unit/cli.test.ts test/unit/cli.test.ts +5 -3

未找到文件。
--- a/src/node/cli.ts
+++ b/src/node/cli.ts
@@ -114,7 +114,7 @@ const options: Options<Required<Args>> = {
  "hashed-password": {
    type: "string",
    description:
-      "The password hashed with SHA-256 for password authentication (can only be passed in via $HASHED_PASSWORD or the config file). \n" +
+      "The password hashed with argon2 for password authentication (can only be passed in via $HASHED_PASSWORD or the config file). \n" +
      "Takes precedence over 'password'.",
  },
  cert: {

--- a/src/node/routes/login.ts
+++ b/src/node/routes/login.ts
@@ -5,7 +5,7 @@ import * as path from "path"
 import safeCompare from "safe-compare"
 import { rootPath } from "../constants"
 import { authenticated, getCookieDomain, redirect, replaceTemplates } from "../http"
-import { hash, hashLegacy, humanPath, isHashLegacyMatch } from "../util"
+import { hash, hashLegacy, humanPath, isHashLegacyMatch, isHashMatch } from "../util"

 export enum Cookie {
  Key = "key",
@@ -72,6 +72,14 @@ router.post("/", async (req, res) => {
      throw new Error("Missing password")
    }

+    // this logic below is flawed
+    const theHash = await hash(req.body.password)
+    const hashedPassword = req.args["hashed-password"] || ""
+    const match = await isHashMatch(req.body.password, hashedPassword)
+    // console.log(`The actual hash: ${theHash}`)
+    // console.log(`hashed-password from config: ${hashedPassword}`)
+    // console.log(theHash, hashedPassword)
+    console.log(`is it a match??? ${match}`)
    if (
      req.args["hashed-password"]
        ? isHashLegacyMatch(req.body.password, req.args["hashed-password"])
@@ -82,6 +90,7 @@ router.post("/", async (req, res) => {
      // using sha256 (the original hashing algorithm), we need to check the hashed-password in the req.args
      // TODO all of this logic should be cleaned up honestly. The current implementation only checks for a hashed-password
      // but doesn't check which algorithm they are using.
+      console.log(`What is this? ${req.args["hashed-password"]}`, Boolean(req.args["hashed-password"]))
      const hashedPassword = req.args["hashed-password"] ? hashLegacy(req.body.password) : await hash(req.body.password)
      // The hash does not add any actual security but we do it for
      // obfuscation purposes (and as a side effect it handles escaping).

--- a/test/unit/cli.test.ts
+++ b/test/unit/cli.test.ts
@@ -305,8 +305,9 @@ describe("parser", () => {
    })
  })

-  it("should use env var hashed password", async () => {
-    process.env.HASHED_PASSWORD = "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" // test
+  it.only("should use env var hashed password", async () => {
+    process.env.HASHED_PASSWORD =
+      "$argon2i$v=19$m=4096,t=3,p=1$0qR/o+0t00hsbJFQCKSfdQ$oFcM4rL6o+B7oxpuA4qlXubypbBPsf+8L531U7P9HYY" // test
    const args = parse([])
    expect(args).toEqual({
      _: [],
@@ -316,7 +317,8 @@ describe("parser", () => {
    expect(defaultArgs).toEqual({
      ...defaults,
      _: [],
-      "hashed-password": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08",
+      "hashed-password":
+        "$argon2i$v=19$m=4096,t=3,p=1$0qR/o+0t00hsbJFQCKSfdQ$oFcM4rL6o+B7oxpuA4qlXubypbBPsf+8L531U7P9HYY",
      usingEnvHashedPassword: true,
    })
  })