krh/muuhd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Minor tweaks and renames

Browse Source
This commit is contained in:
Kim Ravn Hansen
2025-10-13 15:56:44 +02:00
parent f14ec9e09f
commit 1631143647
1 changed files with 32 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
utils/security.js
View File

@@ -2,21 +2,17 @@ import { randomBytes, pbkdf2Sync } from "node:crypto";
import { Config } from "../config.js";
// Settings (tune as needed)
const ITERATIONS = 1000;
const KEYLEN = 32; // 32-bit hash
const DIGEST = "sha256";
const DEV = process.env.NODE_ENV === "dev";
const ITERATIONS = 1000; // MAGIC CONSTANT - move to Config
const DIGEST = "sha256"; // MAGIC CONSTANT - move to Config
const KEYLEN = 32; // MAGIC CONSTANT - move to Config
/**
* Generate a hash from a plaintext password.
* @param {string} password
* @returns {string}
* Generate a hash from a string
* @param {string} source @returns {string}
*/
export function generateHash(password) {
export function generateHash(source) {
const salt = randomBytes(16).toString("hex"); // 128-bit salt
const hash = pbkdf2Sync(password, salt, ITERATIONS, KEYLEN, DIGEST).toString(
"hex",
);
const hash = pbkdf2Sync(source, salt, ITERATIONS, KEYLEN, DIGEST).toString("hex");
return `${ITERATIONS}:${salt}:${hash}`;
}
@@ -29,15 +25,9 @@ export function generateHash(password) {
*/
export function verifyPassword(password_candidate, stored_password_hash) {
const [iterations, salt, hash] = stored_password_hash.split(":");
const derived = pbkdf2Sync(
password_candidate,
salt,
Number(iterations),
KEYLEN,
DIGEST,
).toString("hex");
const derived = pbkdf2Sync(password_candidate, salt, Number(iterations), KEYLEN, DIGEST).toString("hex");
const success = hash === derived;
if (Config.dev || true) {
if (Config.dev) {
console.debug(
"Verifying password:\n" +
" Input : %s (the password as it was sent to us by the client)\n" +
@@ -57,12 +47,12 @@ export function verifyPassword(password_candidate, stored_password_hash) {
/** @param {string} candidate */
export function isUsernameSane(candidate) {
return /^[a-zA-Z0-9_]{4,}$/.test(candidate);
return Config.usernameSanityRegex.test(candidate);
}
/** @param {string} candidate */
export function isPasswordSane(candidate) {
// We know the password must adhere to one of our client-side-hashed crypto schemes,
// so we can be fairly strict with the allowed passwords
return /^[a-zA-Z0-9_: -]{8,}$/.test(candidate);
return Config.passwordSanityRegex.test(candidate);
}