fix: update password hashing

packages/medusa/package.json

@@ -71,7 +71,7 @@
     "randomatic": "^3.1.1",
     "redis": "^3.0.2",
     "resolve-cwd": "^3.0.0",
-    "scrypt": "^6.0.3",
+    "scrypt-kdf": "^2.0.1",
     "winston": "^3.2.1"
   },
   "gitHead": "27d4e07c5251e43ba6be2d5fa35f1d5287b11043"

packages/medusa/src/services/auth.js

@@ -1,4 +1,4 @@
-import { verifyKdf } from "scrypt"
+import Scrypt from "scrypt-kdf"
 import { BaseService } from "medusa-interfaces"
 
 /**
@@ -23,8 +23,8 @@ class AuthService extends BaseService {
    * @return {bool} the result of the comparison
    */
   async comparePassword_(password, hash) {
-    const buf = new Buffer(hash, "base64")
-    return verifyKdf(buf, password)
+    const buf = Buffer.from(hash, "base64")
+    return Scrypt.verify(buf, password)
   }
 
   /**

packages/medusa/src/services/customer.js

@@ -1,5 +1,5 @@
 import jwt from "jsonwebtoken"
-import { kdf } from "scrypt"
+import Scrypt from "scrypt-kdf"
 import _ from "lodash"
 import { Validator, MedusaError } from "medusa-core-utils"
 import { BaseService } from "medusa-interfaces"
@@ -166,7 +166,7 @@ class CustomerService extends BaseService {
    * @return hashed password
    */
   async hashPassword_(password) {
-    const buf = await kdf(password, { N: 1, r: 1, p: 1 })
+    const buf = await Scrypt.kdf(password, { logN: 1, r: 1, p: 1 })
     return buf.toString("base64")
   }
 

packages/medusa/src/services/user.js

@@ -1,5 +1,5 @@
 import _ from "lodash"
-import bcrypt from "bcrypt"
+import Scrypt from "scrypt-kdf"
 import jwt from "jsonwebtoken"
 import { Validator, MedusaError } from "medusa-core-utils"
 import { BaseService } from "medusa-interfaces"
@@ -133,6 +133,17 @@ class UserService extends BaseService {
     }
     return user
   }
+
+  /**
+   * Hashes a password
+   * @param {string} password - the value to hash
+   * @return hashed password
+   */
+  async hashPassword_(password) {
+    const buf = await Scrypt.kdf(password, { logN: 1, r: 1, p: 1 })
+    return buf.toString("base64")
+  }
+
   /**
    * Creates a user with username being validated.
    * Fails if email is not a valid format.
@@ -141,7 +152,7 @@ class UserService extends BaseService {
    */
   async create(user, password) {
     const validatedEmail = this.validateEmail_(user.email)
-    const hashedPassword = await bcrypt.hash(password, 10)
+    const hashedPassword = await this.hashPassword_(password)
     user.email = validatedEmail
     user.password_hash = hashedPassword
     return this.userModel_.create(user).catch(err => {

packages/medusa/yarn.lock

@@ -4804,11 +4804,6 @@ mute-stream@0.0.8:
   resolved "https://registry.yarnpkg.com/mute-stream/-/mute-stream-0.0.8.tgz#1630c42b2251ff81e2a283de96a5497ea92e5e0d"
   integrity sha512-nnbWWOkoWyUsTjKrhgD0dcz22mdkSnpYqbEjIm2nhwhuxlSkpywJmBo8h0ZqJdkp73mb90SssHkN4rsRaBAfAA==
 
-nan@^2.0.8:
-  version "2.14.1"
-  resolved "https://registry.yarnpkg.com/nan/-/nan-2.14.1.tgz#d7be34dfa3105b91494c3147089315eff8874b01"
-  integrity sha512-isWHgVjnFjh2x2yuJ/tj3JbwoHu3UC2dX5G/88Cm24yB6YopVgxvBObDY7n5xW6ExmFhJpSEQqFPvq9zaXc8Jw==
-
 nan@^2.12.1:
   version "2.14.0"
   resolved "https://registry.yarnpkg.com/nan/-/nan-2.14.0.tgz#7818f722027b2459a86f0295d434d1fc2336c52c"
@@ -5966,12 +5961,10 @@ saxes@^3.1.9:
   dependencies:
     xmlchars "^2.1.1"
 
-scrypt@^6.0.3:
-  version "6.0.3"
-  resolved "https://registry.yarnpkg.com/scrypt/-/scrypt-6.0.3.tgz#04e014a5682b53fa50c2d5cce167d719c06d870d"
-  integrity sha1-BOAUpWgrU/pQwtXM4WfXGcBthw0=
-  dependencies:
-    nan "^2.0.8"
+scrypt-kdf@^2.0.1:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/scrypt-kdf/-/scrypt-kdf-2.0.1.tgz#3355224c52d398331b2cbf2b70a7be26b52c53e6"
+  integrity sha512-dMhpgBVJPDWZP5erOCwTjI6oAO9hKhFAjZsdSQ0spaWJYHuA/wFNF2weQQfsyCIk8eNKoLfEDxr3zAtM+gZo0Q==
 
 semver-diff@^2.0.0:
   version "2.1.0"