Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
gzupanda
code-server
提交
409b473c
C
code-server
项目概览
gzupanda
/
code-server
与 Fork 源项目一致
从无法访问的项目Fork
通知
2
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
C
code-server
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
未验证
提交
409b473c
编写于
6月 02, 2021
作者:
J
Joe Previte
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
refactor: rewrite password logic at /login
上级
a14ea39c
变更
1
显示空白变更内容
内联
并排
Showing
1 changed file
with
22 addition
and
22 deletion
+22
-22
src/node/routes/login.ts
src/node/routes/login.ts
+22
-22
未找到文件。
src/node/routes/login.ts
浏览文件 @
409b473c
...
...
@@ -5,7 +5,15 @@ import * as path from "path"
import
safeCompare
from
"
safe-compare
"
import
{
rootPath
}
from
"
../constants
"
import
{
authenticated
,
getCookieDomain
,
redirect
,
replaceTemplates
}
from
"
../http
"
import
{
hash
,
hashLegacy
,
humanPath
,
isHashLegacyMatch
,
isHashMatch
}
from
"
../util
"
import
{
getPasswordMethod
,
handlePasswordValidation
,
hash
,
hashLegacy
,
humanPath
,
isHashLegacyMatch
,
isHashMatch
,
}
from
"
../util
"
export
enum
Cookie
{
Key
=
"
key
"
,
...
...
@@ -62,36 +70,28 @@ router.get("/", async (req, res) => {
})
router
.
post
(
"
/
"
,
async
(
req
,
res
)
=>
{
const
password
=
req
.
body
.
password
const
hashedPasswordFromArgs
=
req
.
args
[
"
hashed-password
"
]
try
{
// Check to see if they exceeded their login attempts
if
(
!
limiter
.
canTry
())
{
throw
new
Error
(
"
Login rate limited!
"
)
}
if
(
!
req
.
body
.
password
)
{
if
(
!
password
)
{
throw
new
Error
(
"
Missing password
"
)
}
// this logic below is flawed
const
theHash
=
await
hash
(
req
.
body
.
password
)
const
hashedPassword
=
req
.
args
[
"
hashed-password
"
]
||
""
const
match
=
await
isHashMatch
(
req
.
body
.
password
,
hashedPassword
)
// console.log(`The actual hash: ${theHash}`)
// console.log(`hashed-password from config: ${hashedPassword}`)
// console.log(theHash, hashedPassword)
console
.
log
(
`is it a match???
${
match
}
`
)
if
(
req
.
args
[
"
hashed-password
"
]
?
isHashLegacyMatch
(
req
.
body
.
password
,
req
.
args
[
"
hashed-password
"
])
:
req
.
args
.
password
&&
safeCompare
(
req
.
body
.
password
,
req
.
args
.
password
)
)
{
// NOTE@jsjoeio:
// We store the hashed password as a cookie. In order to be backwards-comptabile for the folks
// using sha256 (the original hashing algorithm), we need to check the hashed-password in the req.args
// TODO all of this logic should be cleaned up honestly. The current implementation only checks for a hashed-password
// but doesn't check which algorithm they are using.
console
.
log
(
`What is this?
${
req
.
args
[
"
hashed-password
"
]}
`
,
Boolean
(
req
.
args
[
"
hashed-password
"
]))
const
hashedPassword
=
req
.
args
[
"
hashed-password
"
]
?
hashLegacy
(
req
.
body
.
password
)
:
await
hash
(
req
.
body
.
password
)
const
passwordMethod
=
getPasswordMethod
(
hashedPasswordFromArgs
)
const
{
isPasswordValid
,
hashedPassword
}
=
await
handlePasswordValidation
({
passwordMethod
,
hashedPasswordFromArgs
,
passwordFromRequestBody
:
password
,
passwordFromArgs
:
req
.
args
.
password
,
})
if
(
isPasswordValid
)
{
// The hash does not add any actual security but we do it for
// obfuscation purposes (and as a side effect it handles escaping).
res
.
cookie
(
Cookie
.
Key
,
hashedPassword
,
{
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录