Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
DCloud
hello_uni-id-pages
提交
39620190
H
hello_uni-id-pages
项目概览
DCloud
/
hello_uni-id-pages
通知
1054
Star
31
Fork
43
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
4
列表
看板
标记
里程碑
合并请求
2
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
H
hello_uni-id-pages
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
4
Issue
4
列表
看板
标记
里程碑
合并请求
2
合并请求
2
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
提交
39620190
编写于
10月 27, 2022
作者:
C
chenruilong
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
feat: 密码策略升级 (sha256)
上级
39bf8560
变更
8
显示空白变更内容
内联
并排
Showing
8 changed file
with
119 addition
and
83 deletion
+119
-83
uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/lib/utils/login.js
...ages/uniCloud/cloudfunctions/uni-id-co/lib/utils/login.js
+4
-4
uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/lib/utils/password.js
...s/uniCloud/cloudfunctions/uni-id-co/lib/utils/password.js
+90
-38
uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/lib/utils/register.js
...s/uniCloud/cloudfunctions/uni-id-co/lib/utils/register.js
+3
-7
uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/module/account/reset-pwd-by-email.js
...dfunctions/uni-id-co/module/account/reset-pwd-by-email.js
+4
-7
uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/module/account/reset-pwd-by-sms.js
...oudfunctions/uni-id-co/module/account/reset-pwd-by-sms.js
+4
-7
uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/module/account/update-pwd.js
...oud/cloudfunctions/uni-id-co/module/account/update-pwd.js
+8
-7
uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/module/admin/add-user.js
...niCloud/cloudfunctions/uni-id-co/module/admin/add-user.js
+2
-6
uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/module/admin/update-user.js
...loud/cloudfunctions/uni-id-co/module/admin/update-user.js
+4
-7
未找到文件。
uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/lib/utils/login.js
浏览文件 @
39620190
...
...
@@ -78,16 +78,16 @@ async function preLoginWithPassword (params = {}) {
}
}
const
passwordUtils
=
new
PasswordUtils
({
passwordSecret
:
this
.
config
.
passwordSecret
passwordHash
:
userRecord
.
password
,
passwordSecret
:
this
.
config
.
passwordSecret
,
passwordSecretVersion
:
userRecord
.
password_secret_version
})
const
{
success
:
checkPasswordSuccess
,
refreshPasswordInfo
}
=
passwordUtils
.
checkUserPassword
({
password
,
passwordHash
:
userRecord
.
password
,
passwordSecretVersion
:
userRecord
.
password_secret_version
password
})
if
(
!
checkPasswordSuccess
)
{
// 更新用户ip对应的密码错误记录
...
...
uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/lib/utils/password.js
浏览文件 @
39620190
...
...
@@ -3,18 +3,41 @@ const {
}
=
require
(
'
../../common/utils
'
)
const
crypto
=
require
(
'
crypto
'
)
const
PasswordMethodMaps
=
{
A
:
'
hmac-sha1
'
,
B
:
'
hmac-sha256
'
}
const
PasswordMethodFlagMaps
=
Object
.
keys
(
PasswordMethodMaps
).
reduce
((
res
,
item
)
=>
{
res
[
PasswordMethodMaps
[
item
]]
=
item
return
res
},
{})
const
PasswordHashMethod
=
{
'
hmac-sha1
'
:
function
(
content
,
secret
)
{
const
hmac
=
crypto
.
createHmac
(
'
sha1
'
,
secret
.
toString
(
'
ascii
'
))
hmac
.
update
(
content
)
return
hmac
.
digest
(
'
hex
'
)
},
'
hmac-sha256
'
:
function
(
content
,
secret
)
{
const
hmac
=
crypto
.
createHmac
(
'
sha256
'
,
secret
)
hmac
.
update
(
content
)
return
hmac
.
digest
(
'
hex
'
)
}
}
class
PasswordUtils
{
constructor
({
passwordSecret
passwordHash
=
''
,
passwordSecret
=
''
,
passwordSecretVersion
}
=
{})
{
this
.
passwordHash
=
passwordHash
this
.
passwordSecretVersion
=
passwordSecretVersion
this
.
password
=
this
.
parsePassword
()
// 老版本会存在 passwordSecret
if
(
passwordSecret
)
{
const
passwordSecretType
=
getType
(
passwordSecret
)
if
(
passwordSecretType
===
'
array
'
)
{
this
.
passwordSecret
=
passwordSecret
.
sort
((
a
,
b
)
=>
{
...
...
@@ -22,8 +45,20 @@ class PasswordUtils {
})
}
else
if
(
passwordSecretType
===
'
string
'
)
{
this
.
passwordSecret
=
[{
value
:
passwordSecret
}]
}
else
{
throw
new
Error
(
'
Invalid password secret
'
)
}
}
}
parsePassword
()
{
const
[
algorithmKey
=
''
,
cost
=
0
,
hashStr
=
''
]
=
this
.
passwordHash
.
split
(
'
$
'
).
filter
(
key
=>
key
)
const
algorithm
=
PasswordMethodMaps
[
algorithmKey
]
||
null
const
salt
=
hashStr
.
substring
(
0
,
Number
(
cost
))
const
hash
=
hashStr
.
substring
(
Number
(
cost
))
return
{
algorithm
,
salt
,
hash
}
}
...
...
@@ -51,37 +86,34 @@ class PasswordUtils {
checkUserPassword
(
params
=
{})
{
const
{
password
,
passwordHash
:
passwordHashToCheck
,
passwordSecretVersion
,
autoRefresh
=
true
}
=
params
const
currentPasswordSecret
=
this
.
getSecretByVersion
({
version
:
passwordSecretVersion
let
passwordHash
if
(
this
.
password
.
algorithm
)
{
passwordHash
=
PasswordHashMethod
[
this
.
password
.
algorithm
](
password
,
this
.
password
.
salt
)
}
else
{
const
hash
=
this
.
generatePasswordHash
({
password
})
if
(
!
currentPasswordSecret
)
{
throw
new
Error
(
'
Invalid password version
'
)
passwordHash
=
hash
.
passwordHash
}
const
{
value
:
passwordSecret
}
=
currentPasswordSecret
const
{
passwordHash
}
=
this
.
generatePasswordHash
({
password
,
passwordSecret
,
passwordSecretVersion
})
if
(
passwordHashToCheck
!==
passwordHash
)
{
if
(
passwordHash
!==
this
.
password
.
hash
&&
passwordHash
!==
this
.
passwordHash
)
{
return
{
success
:
false
}
}
let
refreshPasswordInfo
if
(
autoRefresh
&&
passwordSecretVersion
!==
this
.
getLastestSecret
().
version
)
{
if
(
autoRefresh
)
{
refreshPasswordInfo
=
this
.
generatePasswordHash
({
password
password
,
forceUseInternal
:
true
})
}
return
{
success
:
true
,
refreshPasswordInfo
...
...
@@ -91,8 +123,7 @@ class PasswordUtils {
generatePasswordHash
(
params
=
{})
{
let
{
password
,
passwordSecret
,
passwordSecretVersion
forceUseInternal
=
false
}
=
params
if
(
getType
(
password
)
!==
'
string
'
)
{
throw
new
Error
(
'
Invalid password
'
)
...
...
@@ -101,14 +132,35 @@ class PasswordUtils {
if
(
!
password
)
{
throw
new
Error
(
'
Invalid password
'
)
}
if
(
!
passwordSecret
)
{
const
lastestSecret
=
this
.
getLastestSecret
()
passwordSecret
=
lastestSecret
.
value
passwordSecretVersion
=
lastestSecret
.
version
// 没有 passwordSecret,使用内置算法(新版)
if
(
forceUseInternal
||
!
this
.
passwordSecret
)
{
// 默认使用 sha256 加密算法
const
salt
=
crypto
.
randomBytes
(
10
).
toString
(
'
hex
'
)
const
sha256Hash
=
PasswordHashMethod
[
'
hmac-sha256
'
](
password
,
salt
)
const
algorithm
=
PasswordMethodFlagMaps
[
'
hmac-sha256
'
]
// B 为固定值,对应 PasswordMethodMaps 中的 sha256算法
// hash 格式 $[PasswordMethodFlagMapsKey]$[salt size]$[salt][Hash]
const
hashStr
=
`$
${
algorithm
}
$
${
salt
.
length
}
$
${
salt
}${
sha256Hash
}
`
return
{
passwordHash
:
hashStr
}
}
// 旧版本兼容
let
secret
if
(
this
.
passwordSecretVersion
)
{
secret
=
this
.
getSecretByVersion
({
version
:
this
.
passwordSecretVersion
})
}
else
{
secret
=
this
.
getLastestSecret
()
}
return
{
passwordHash
:
PasswordHashMethod
[
'
hmac-sha1
'
](
password
,
passwordSecret
),
version
:
passwordSecretV
ersion
passwordHash
:
PasswordHashMethod
[
'
hmac-sha1
'
](
password
,
secret
.
value
),
version
:
secret
.
v
ersion
}
}
}
...
...
uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/lib/utils/register.js
浏览文件 @
39620190
...
...
@@ -53,18 +53,14 @@ async function preRegisterWithPassword(params = {}) {
await
preRegister
.
call
(
this
,
{
user
})
const
passwordUtils
=
new
PasswordUtils
({
passwordSecret
:
this
.
config
.
passwordSecret
})
const
passwordUtils
=
new
PasswordUtils
()
const
{
passwordHash
,
version
passwordHash
}
=
passwordUtils
.
generatePasswordHash
({
password
})
const
extraData
=
{
password
:
passwordHash
,
password_secret_version
:
version
password
:
passwordHash
}
return
{
user
,
...
...
uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/module/account/reset-pwd-by-email.js
浏览文件 @
39620190
...
...
@@ -12,7 +12,7 @@ const {
userCollection
,
EMAIL_SCENE
,
CAPTCHA_SCENE
,
LOG_TYPE
LOG_TYPE
,
dbCmd
}
=
require
(
'
../../common/constants
'
)
const
{
findUser
...
...
@@ -92,17 +92,14 @@ module.exports = async function (params = {}) {
}
const
{
_id
:
uid
}
=
userMatched
[
0
]
const
{
passwordHash
,
version
}
=
new
PasswordUtils
({
passwordSecret
:
this
.
config
.
passwordSecret
}).
generatePasswordHash
({
passwordHash
}
=
new
PasswordUtils
().
generatePasswordHash
({
password
})
// 更新用户密码
await
userCollection
.
doc
(
uid
).
update
({
password
:
passwordHash
,
password_secret_version
:
version
,
password_secret_version
:
dbCmd
.
remove
()
,
valid_token_date
:
Date
.
now
()
})
...
...
uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/module/account/reset-pwd-by-sms.js
浏览文件 @
39620190
...
...
@@ -12,7 +12,7 @@ const {
userCollection
,
SMS_SCENE
,
CAPTCHA_SCENE
,
LOG_TYPE
LOG_TYPE
,
dbCmd
}
=
require
(
'
../../common/constants
'
)
const
{
findUser
...
...
@@ -92,17 +92,14 @@ module.exports = async function (params = {}) {
}
const
{
_id
:
uid
}
=
userMatched
[
0
]
const
{
passwordHash
,
version
}
=
new
PasswordUtils
({
passwordSecret
:
this
.
config
.
passwordSecret
}).
generatePasswordHash
({
passwordHash
}
=
new
PasswordUtils
().
generatePasswordHash
({
password
})
// 更新用户密码
await
userCollection
.
doc
(
uid
).
update
({
password
:
passwordHash
,
password_secret_version
:
version
,
password_secret_version
:
dbCmd
.
remove
()
,
valid_token_date
:
Date
.
now
()
})
...
...
uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/module/account/update-pwd.js
浏览文件 @
39620190
const
{
userCollection
userCollection
,
dbCmd
}
=
require
(
'
../../common/constants
'
)
const
{
ERROR
...
...
@@ -32,16 +32,18 @@ module.exports = async function (params = {}) {
newPassword
}
=
params
const
passwordUtils
=
new
PasswordUtils
({
passwordSecret
:
this
.
config
.
passwordSecret
passwordHash
:
userRecord
.
password
,
passwordSecret
:
this
.
config
.
passwordSecret
,
passwordSecretVersion
:
userRecord
.
password_secret_version
})
const
{
success
:
checkPasswordSuccess
}
=
passwordUtils
.
checkUserPassword
({
password
:
oldPassword
,
passwordHash
:
userRecord
.
password
,
passwordSecretVersion
:
userRecord
.
password_secret_version
,
autoRefresh
:
false
})
if
(
!
checkPasswordSuccess
)
{
throw
{
errCode
:
ERROR
.
PASSWORD_ERROR
...
...
@@ -49,15 +51,14 @@ module.exports = async function (params = {}) {
}
const
{
passwordHash
,
version
passwordHash
}
=
passwordUtils
.
generatePasswordHash
({
password
:
newPassword
})
await
userCollection
.
doc
(
uid
).
update
({
password
:
passwordHash
,
password_secret_version
:
version
,
password_secret_version
:
dbCmd
.
remove
()
,
valid_token_date
:
Date
.
now
()
// refreshToken时会校验,如果创建token时间在此时间点之前,则拒绝下发新token,返回token失效错误码
})
// 执行更新密码操作后客户端应将用户退出重新登录
...
...
uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/module/admin/add-user.js
浏览文件 @
39620190
...
...
@@ -82,19 +82,15 @@ module.exports = async function (params = {}) {
errCode
:
ERROR
.
ACCOUNT_EXISTS
}
}
const
passwordUtils
=
new
PasswordUtils
({
passwordSecret
:
this
.
config
.
passwordSecret
})
const
passwordUtils
=
new
PasswordUtils
()
const
{
passwordHash
,
version
passwordHash
}
=
passwordUtils
.
generatePasswordHash
({
password
})
const
data
=
{
username
,
password
:
passwordHash
,
password_secret_version
:
version
,
dcloud_appid
:
authorizedApp
||
[],
nickname
,
role
:
role
||
[],
...
...
uni_modules/uni-id-pages/uniCloud/cloudfunctions/uni-id-co/module/admin/update-user.js
浏览文件 @
39620190
...
...
@@ -5,7 +5,7 @@ const {
ERROR
}
=
require
(
'
../../common/error
'
)
const
{
userCollection
userCollection
,
dbCmd
}
=
require
(
'
../../common/constants
'
)
const
PasswordUtils
=
require
(
'
../../lib/utils/password
'
)
...
...
@@ -106,18 +106,15 @@ module.exports = async function (params = {}) {
}
if
(
password
)
{
const
passwordUtils
=
new
PasswordUtils
({
passwordSecret
:
this
.
config
.
passwordSecret
})
const
passwordUtils
=
new
PasswordUtils
()
const
{
passwordHash
,
version
passwordHash
}
=
passwordUtils
.
generatePasswordHash
({
password
})
data
.
password
=
passwordHash
data
.
password_secret_version
=
version
data
.
password_secret_version
=
dbCmd
.
remove
()
}
await
userCollection
.
doc
(
uid
).
update
(
data
)
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录