krh/muuhd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Minor tweaks and renames

Browse Source
This commit is contained in:
Kim Ravn Hansen
2025-10-13 15:56:44 +02:00
parent f14ec9e09f
commit 1631143647
1 changed files with 32 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
utils/security.js
View File

@@ -2,21 +2,17 @@ import { randomBytes, pbkdf2Sync } from "node:crypto";
import { Config } from "../config.js"; import { Config } from "../config.js";
// Settings (tune as needed) // Settings (tune as needed)
const ITERATIONS = 1000; const ITERATIONS = 1000; // MAGIC CONSTANT - move to Config
const KEYLEN = 32; // 32-bit hash const DIGEST = "sha256"; // MAGIC CONSTANT - move to Config
const DIGEST = "sha256"; const KEYLEN = 32; // MAGIC CONSTANT - move to Config
const DEV = process.env.NODE_ENV === "dev";
/** /**
* Generate a hash from a plaintext password. * Generate a hash from a string
* @param {string} password * @param {string} source @returns {string}
* @returns {string}
*/ */
export function generateHash(password) { export function generateHash(source) {
const salt = randomBytes(16).toString("hex"); // 128-bit salt const salt = randomBytes(16).toString("hex"); // 128-bit salt
const hash = pbkdf2Sync(password, salt, ITERATIONS, KEYLEN, DIGEST).toString( const hash = pbkdf2Sync(source, salt, ITERATIONS, KEYLEN, DIGEST).toString("hex");
"hex",
);
return `${ITERATIONS}:${salt}:${hash}`; return `${ITERATIONS}:${salt}:${hash}`;
} }
@@ -29,15 +25,9 @@ export function generateHash(password) {
*/ */
export function verifyPassword(password_candidate, stored_password_hash) { export function verifyPassword(password_candidate, stored_password_hash) {
const [iterations, salt, hash] = stored_password_hash.split(":"); const [iterations, salt, hash] = stored_password_hash.split(":");
const derived = pbkdf2Sync( const derived = pbkdf2Sync(password_candidate, salt, Number(iterations), KEYLEN, DIGEST).toString("hex");
password_candidate,
salt,
Number(iterations),
KEYLEN,
DIGEST,
).toString("hex");
const success = hash === derived; const success = hash === derived;
if (Config.dev || true) { if (Config.dev) {
console.debug( console.debug(
"Verifying password:\n" + "Verifying password:\n" +
" Input : %s (the password as it was sent to us by the client)\n" + " Input : %s (the password as it was sent to us by the client)\n" +
@@ -57,12 +47,12 @@ export function verifyPassword(password_candidate, stored_password_hash) {
/** @param {string} candidate */ /** @param {string} candidate */
export function isUsernameSane(candidate) { export function isUsernameSane(candidate) {
return /^[a-zA-Z0-9_]{4,}$/.test(candidate); return Config.usernameSanityRegex.test(candidate);
} }
/** @param {string} candidate */ /** @param {string} candidate */
export function isPasswordSane(candidate) { export function isPasswordSane(candidate) {
// We know the password must adhere to one of our client-side-hashed crypto schemes, // We know the password must adhere to one of our client-side-hashed crypto schemes,
// so we can be fairly strict with the allowed passwords // so we can be fairly strict with the allowed passwords
return /^[a-zA-Z0-9_: -]{8,}$/.test(candidate); return Config.passwordSanityRegex.test(candidate);
} }