From f56bd6ab08693ea931dc4ffa88ab3c0abcaf13dd Mon Sep 17 00:00:00 2001 From: Sebastian Rindom Date: Sun, 30 Aug 2020 09:59:46 +0200 Subject: [PATCH] Updates hashing method --- packages/medusa/package.json | 2 +- packages/medusa/src/services/auth.js | 24 ++++-- packages/medusa/src/services/customer.js | 18 +++- packages/medusa/yarn.lock | 102 +++++------------------ 4 files changed, 56 insertions(+), 90 deletions(-) diff --git a/packages/medusa/package.json b/packages/medusa/package.json index 243a37b2a1..714e54732e 100644 --- a/packages/medusa/package.json +++ b/packages/medusa/package.json @@ -46,7 +46,6 @@ "@babel/plugin-transform-classes": "^7.9.5", "@hapi/joi": "^16.1.8", "awilix": "^4.2.3", - "bcrypt": "^5.0.0", "body-parser": "^1.19.0", "bull": "^3.12.1", "chokidar": "^3.4.2", @@ -72,6 +71,7 @@ "randomatic": "^3.1.1", "redis": "^3.0.2", "resolve-cwd": "^3.0.0", + "scrypt": "^6.0.3", "winston": "^3.2.1" }, "gitHead": "27d4e07c5251e43ba6be2d5fa35f1d5287b11043" diff --git a/packages/medusa/src/services/auth.js b/packages/medusa/src/services/auth.js index f6b624def1..f867d52c4c 100644 --- a/packages/medusa/src/services/auth.js +++ b/packages/medusa/src/services/auth.js @@ -1,4 +1,4 @@ -import bcrypt from "bcrypt" +import { verifyKdf } from "scrypt" import { BaseService } from "medusa-interfaces" /** @@ -16,6 +16,17 @@ class AuthService extends BaseService { this.customerService_ = customerService } + /** + * Verifies if a password is valid given the provided password hash + * @param {string} password - the raw password to check + * @param {string} hash - the hash to compare against + * @return {bool} the result of the comparison + */ + async comparePassword_(password, hash) { + const buf = new Buffer(hash, "base64") + return verifyKdf(buf, password) + } + /** * Authenticates a given user with an API token * @param {string} token - the api_token of the user to authenticate @@ -45,7 +56,7 @@ class AuthService extends BaseService { /** * Authenticates a given user based on an email, password combination. Uses - * bcrypt to match password with hashed value. + * scrypt to match password with hashed value. * @param {string} email - the email of the user * @param {string} password - the password of the user * @return {{ success: (bool), user: (object | undefined) }} @@ -56,7 +67,10 @@ class AuthService extends BaseService { async authenticate(email, password) { try { const user = await this.userService_.retrieveByEmail(email) - const passwordsMatch = await bcrypt.compare(password, user.password_hash) + const passwordsMatch = await this.comparePassword_( + password, + user.password_hash + ) if (passwordsMatch) { return { success: true, @@ -78,7 +92,7 @@ class AuthService extends BaseService { /** * Authenticates a customer based on an email, password combination. Uses - * bcrypt to match password with hashed value. + * scrypt to match password with hashed value. * @param {string} email - the email of the user * @param {string} password - the password of the user * @return {{ success: (bool), user: (object | undefined) }} @@ -96,7 +110,7 @@ class AuthService extends BaseService { } } - const passwordsMatch = await bcrypt.compare( + const passwordsMatch = await this.comparePassword_( password, customer.password_hash ) diff --git a/packages/medusa/src/services/customer.js b/packages/medusa/src/services/customer.js index 0787b6d842..50f9c7a8bf 100644 --- a/packages/medusa/src/services/customer.js +++ b/packages/medusa/src/services/customer.js @@ -1,5 +1,5 @@ import jwt from "jsonwebtoken" -import bcrypt from "bcrypt" +import { kdf } from "scrypt" import _ from "lodash" import { Validator, MedusaError } from "medusa-core-utils" import { BaseService } from "medusa-interfaces" @@ -160,6 +160,16 @@ class CustomerService extends BaseService { return customer } + /** + * Hashes a password + * @param {string} password - the value to hash + * @return hashed password + */ + async hashPassword_(password) { + const buf = await kdf(password, { N: 1, r: 1, p: 1 }) + return buf.toString("base64") + } + /** * Creates a customer from an email - customers can have accounts associated, * e.g. to login and view order history, etc. If a password is provided the @@ -179,7 +189,7 @@ class CustomerService extends BaseService { const existing = await this.retrieveByEmail(email).catch(err => undefined) if (existing && password && !existing.has_account) { - const hashedPassword = await bcrypt.hash(password, 10) + const hashedPassword = await this.hashPassword_(password) customer.password_hash = hashedPassword customer.has_account = true delete customer.password @@ -192,7 +202,7 @@ class CustomerService extends BaseService { ) } else { if (password) { - const hashedPassword = await bcrypt.hash(password, 10) + const hashedPassword = await this.hashPassword_(password) customer.password_hash = hashedPassword customer.has_account = true delete customer.password @@ -232,7 +242,7 @@ class CustomerService extends BaseService { } if (update.password) { - const hashedPassword = await bcrypt.hash(update.password, 10) + const hashedPassword = await this.hashPassword_(update.password) update.password_hash = hashedPassword update.has_account = true delete update.password diff --git a/packages/medusa/yarn.lock b/packages/medusa/yarn.lock index f27d08a532..7e3b43998d 100644 --- a/packages/medusa/yarn.lock +++ b/packages/medusa/yarn.lock @@ -1637,14 +1637,6 @@ bcrypt-pbkdf@^1.0.0: dependencies: tweetnacl "^0.14.3" -bcrypt@^5.0.0: - version "5.0.0" - resolved "https://registry.yarnpkg.com/bcrypt/-/bcrypt-5.0.0.tgz#051407c7cd5ffbfb773d541ca3760ea0754e37e2" - integrity sha512-jB0yCBl4W/kVHM2whjfyqnxTmOHkCX4kHEa5nYKSoGeYe8YrjTYTc87/6bwt1g8cmV0QrbhKriETg9jWtcREhg== - dependencies: - node-addon-api "^3.0.0" - node-pre-gyp "0.15.0" - binary-extensions@^1.0.0: version "1.13.1" resolved "https://registry.yarnpkg.com/binary-extensions/-/binary-extensions-1.13.1.tgz#598afe54755b2868a5330d2aff9d4ebb53209b65" @@ -1965,13 +1957,6 @@ cli-width@^2.0.0: resolved "https://registry.yarnpkg.com/cli-width/-/cli-width-2.2.0.tgz#ff19ede8a9a5e579324147b0c11f0fbcbabed639" integrity sha1-/xnt6Kml5XkyQUewwR8PvLq+1jk= -client-sessions@^0.8.0: - version "0.8.0" - resolved "https://registry.yarnpkg.com/client-sessions/-/client-sessions-0.8.0.tgz#a7d8c5558ad5d56f2a199f3533eb654b5df893fd" - integrity sha1-p9jFVYrV1W8qGZ81M+tlS134k/0= - dependencies: - cookies "^0.7.0" - cliui@^6.0.0: version "6.0.0" resolved "https://registry.yarnpkg.com/cliui/-/cliui-6.0.0.tgz#511d702c0c4e41ca156d7d0e96021f23e13225b1" @@ -2178,14 +2163,6 @@ cookiejar@^2.1.0: resolved "https://registry.yarnpkg.com/cookiejar/-/cookiejar-2.1.2.tgz#dd8a235530752f988f9a0844f3fc589e3111125c" integrity sha512-Mw+adcfzPxcPeI+0WlvRrr/3lGVO0bD75SxX6811cxSh1Wbxx7xZBGK1eVtDf6si8rg2lhnUjsVLMFMfbRIuwA== -cookies@^0.7.0: - version "0.7.3" - resolved "https://registry.yarnpkg.com/cookies/-/cookies-0.7.3.tgz#7912ce21fbf2e8c2da70cf1c3f351aecf59dadfa" - integrity sha512-+gixgxYSgQLTaTIilDHAdlNPZDENDQernEMiIcZpYYP14zgHsCt4Ce1FEjFtcp6GefhozebB6orvhAAWx/IS0A== - dependencies: - depd "~1.1.2" - keygrip "~1.0.3" - copy-descriptor@^0.1.0: version "0.1.1" resolved "https://registry.yarnpkg.com/copy-descriptor/-/copy-descriptor-0.1.1.tgz#676f6eb3c39997c2ee1ac3a924fd6124748f578d" @@ -4363,11 +4340,6 @@ kareem@2.3.1: resolved "https://registry.yarnpkg.com/kareem/-/kareem-2.3.1.tgz#def12d9c941017fabfb00f873af95e9c99e1be87" integrity sha512-l3hLhffs9zqoDe8zjmb/mAN4B8VT3L56EUvKNqLFVs9YlFA+zx7ke1DO8STAdDyYNkeSo1nKmjuvQeI12So8Xw== -keygrip@~1.0.3: - version "1.0.3" - resolved "https://registry.yarnpkg.com/keygrip/-/keygrip-1.0.3.tgz#399d709f0aed2bab0a059e0cdd3a5023a053e1dc" - integrity sha512-/PpesirAIfaklxUzp4Yb7xBper9MwP6hNRA6BGGUFCgbJ+BM5CKBtsoxinNXkLHAr+GXS1/lSlF2rP7cv5Fl+g== - kind-of@^3.0.2, kind-of@^3.0.3, kind-of@^3.2.0: version "3.2.2" resolved "https://registry.yarnpkg.com/kind-of/-/kind-of-3.2.2.tgz#31ea21a734bab9bbb0f32466d893aea51e4a3c64" @@ -4593,21 +4565,21 @@ media-typer@0.3.0: resolved "https://registry.yarnpkg.com/media-typer/-/media-typer-0.3.0.tgz#8710d7af0aa626f8fffa1ce00168545263255748" integrity sha1-hxDXrwqmJvj/+hzgAWhUUmMlV0g= -medusa-core-utils@^1.0.0-alpha.3: - version "1.0.0-alpha.3" - resolved "https://registry.yarnpkg.com/medusa-core-utils/-/medusa-core-utils-1.0.0-alpha.3.tgz#68b6deb315cceab71c1b859da3f97d8e7a2c1d38" - integrity sha512-h1Qkvy682M+ZZRDAFAhKn5i3RBXfDBl0aufaRwvTrj5aXkENUXxaLyKFUKvlX3zJLvq93Xqp/Ey48AZZyqfQpA== +medusa-core-utils@^1.0.0-alpha.30: + version "1.0.0-alpha.30" + resolved "https://registry.yarnpkg.com/medusa-core-utils/-/medusa-core-utils-1.0.0-alpha.30.tgz#4ff3c1c8202486a8aa14989c8bcca0d981eb4fdc" + integrity sha512-SVcX4/GLm3NntFQzHKALaXi3sQ8PP1eZGXUb6yQEiFnnap0otI37sQCIC+nAw6v14VnGNkoWeVcENti+jSrzVA== dependencies: "@hapi/joi" "^16.1.8" joi-objectid "^3.0.1" -medusa-test-utils@^1.0.0-alpha.3: - version "1.0.0-alpha.3" - resolved "https://registry.yarnpkg.com/medusa-test-utils/-/medusa-test-utils-1.0.0-alpha.3.tgz#162995e11f96a7fc02d0863fa6a11f511926979e" - integrity sha512-d8A9vq8S0Dlt/HlbSHUTEbrlCA6gQAzAU43MjsZqqe5PHKBZs8D5ZPnjINBJXz/jxLiJNXu8sTkK+4fQwRKBCA== +medusa-test-utils@^1.0.0-alpha.30: + version "1.0.0-alpha.30" + resolved "https://registry.yarnpkg.com/medusa-test-utils/-/medusa-test-utils-1.0.0-alpha.30.tgz#2a32b5d5d00993d931cd12a5fa42316c01731e41" + integrity sha512-xPPnpLNGSB2eVHxWBRwztPvuIqi6E26QUpRICKzbZ7H3XwsP9G62NTa/TJDrLYmY3232sXeWGZNmOlPZWbQcGw== dependencies: "@babel/plugin-transform-classes" "^7.9.5" - medusa-core-utils "^1.0.0-alpha.3" + medusa-core-utils "^1.0.0-alpha.30" mongoose "^5.8.0" memory-pager@^1.0.2: @@ -4696,11 +4668,6 @@ minimist@^1.1.1, minimist@^1.2.0: resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.0.tgz#a35008b20f41383eec1fb914f4cd5df79a264284" integrity sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ= -minimist@^1.2.5: - version "1.2.5" - resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.5.tgz#67d66014b66a6a8aaa0c083c5fd58df4e4e97602" - integrity sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw== - minipass@^2.6.0, minipass@^2.8.6, minipass@^2.9.0: version "2.9.0" resolved "https://registry.yarnpkg.com/minipass/-/minipass-2.9.0.tgz#e713762e7d3e32fed803115cf93e04bca9fcc9a6" @@ -4731,13 +4698,6 @@ mkdirp@^0.5.0, mkdirp@^0.5.1: dependencies: minimist "0.0.8" -mkdirp@^0.5.3: - version "0.5.5" - resolved "https://registry.yarnpkg.com/mkdirp/-/mkdirp-0.5.5.tgz#d91cefd62d1436ca0f41620e251288d420099def" - integrity sha512-NKmAlESf6jMGym1++R0Ra7wvhV+wFW63FaSOFPwRahvea0gMUcGUhVeAg/0BC0wiv9ih5NYPB1Wn1UEI1/L+xQ== - dependencies: - minimist "^1.2.5" - moment-timezone@^0.5.25: version "0.5.27" resolved "https://registry.yarnpkg.com/moment-timezone/-/moment-timezone-0.5.27.tgz#73adec8139b6fe30452e78f210f27b1f346b8877" @@ -4844,6 +4804,11 @@ mute-stream@0.0.8: resolved "https://registry.yarnpkg.com/mute-stream/-/mute-stream-0.0.8.tgz#1630c42b2251ff81e2a283de96a5497ea92e5e0d" integrity sha512-nnbWWOkoWyUsTjKrhgD0dcz22mdkSnpYqbEjIm2nhwhuxlSkpywJmBo8h0ZqJdkp73mb90SssHkN4rsRaBAfAA== +nan@^2.0.8: + version "2.14.1" + resolved "https://registry.yarnpkg.com/nan/-/nan-2.14.1.tgz#d7be34dfa3105b91494c3147089315eff8874b01" + integrity sha512-isWHgVjnFjh2x2yuJ/tj3JbwoHu3UC2dX5G/88Cm24yB6YopVgxvBObDY7n5xW6ExmFhJpSEQqFPvq9zaXc8Jw== + nan@^2.12.1: version "2.14.0" resolved "https://registry.yarnpkg.com/nan/-/nan-2.14.0.tgz#7818f722027b2459a86f0295d434d1fc2336c52c" @@ -4880,15 +4845,6 @@ needle@^2.2.1: iconv-lite "^0.4.4" sax "^1.2.4" -needle@^2.5.0: - version "2.5.0" - resolved "https://registry.yarnpkg.com/needle/-/needle-2.5.0.tgz#e6fc4b3cc6c25caed7554bd613a5cf0bac8c31c0" - integrity sha512-o/qITSDR0JCyCKEQ1/1bnUXMmznxabbwi/Y4WwJElf+evwJNFNwIDMCCt5IigFVxgeGBJESLohGtIS9gEzo1fA== - dependencies: - debug "^3.2.6" - iconv-lite "^0.4.4" - sax "^1.2.4" - negotiator@0.6.2: version "0.6.2" resolved "https://registry.yarnpkg.com/negotiator/-/negotiator-0.6.2.tgz#feacf7ccf525a77ae9634436a64883ffeca346fb" @@ -4906,11 +4862,6 @@ no-case@^2.2.0: dependencies: lower-case "^1.1.1" -node-addon-api@^3.0.0: - version "3.0.0" - resolved "https://registry.yarnpkg.com/node-addon-api/-/node-addon-api-3.0.0.tgz#812446a1001a54f71663bed188314bba07e09247" - integrity sha512-sSHCgWfJ+Lui/u+0msF3oyCgvdkhxDbkCS6Q8uiJquzOimkJBvX6hl5aSSA7DR1XbMpdM8r7phjcF63sF4rkKg== - node-environment-flags@^1.0.5: version "1.0.6" resolved "https://registry.yarnpkg.com/node-environment-flags/-/node-environment-flags-1.0.6.tgz#a30ac13621f6f7d674260a54dede048c3982c088" @@ -4940,22 +4891,6 @@ node-notifier@^6.0.0: shellwords "^0.1.1" which "^1.3.1" -node-pre-gyp@0.15.0: - version "0.15.0" - resolved "https://registry.yarnpkg.com/node-pre-gyp/-/node-pre-gyp-0.15.0.tgz#c2fc383276b74c7ffa842925241553e8b40f1087" - integrity sha512-7QcZa8/fpaU/BKenjcaeFF9hLz2+7S9AqyXFhlH/rilsQ/hPZKK32RtR5EQHJElgu+q5RfbJ34KriI79UWaorA== - dependencies: - detect-libc "^1.0.2" - mkdirp "^0.5.3" - needle "^2.5.0" - nopt "^4.0.1" - npm-packlist "^1.1.6" - npmlog "^4.0.2" - rc "^1.2.7" - rimraf "^2.6.1" - semver "^5.3.0" - tar "^4.4.2" - node-pre-gyp@^0.12.0: version "0.12.0" resolved "https://registry.yarnpkg.com/node-pre-gyp/-/node-pre-gyp-0.12.0.tgz#39ba4bb1439da030295f899e3b520b7785766149" @@ -6031,6 +5966,13 @@ saxes@^3.1.9: dependencies: xmlchars "^2.1.1" +scrypt@^6.0.3: + version "6.0.3" + resolved "https://registry.yarnpkg.com/scrypt/-/scrypt-6.0.3.tgz#04e014a5682b53fa50c2d5cce167d719c06d870d" + integrity sha1-BOAUpWgrU/pQwtXM4WfXGcBthw0= + dependencies: + nan "^2.0.8" + semver-diff@^2.0.0: version "2.1.0" resolved "https://registry.yarnpkg.com/semver-diff/-/semver-diff-2.1.0.tgz#4bbb8437c8d37e4b0cf1a68fd726ec6d645d6d36" @@ -6531,7 +6473,7 @@ table@^5.2.3: slice-ansi "^2.1.0" string-width "^3.0.0" -tar@^4, tar@^4.4.2: +tar@^4: version "4.4.13" resolved "https://registry.yarnpkg.com/tar/-/tar-4.4.13.tgz#43b364bc52888d555298637b10d60790254ab525" integrity sha512-w2VwSrBoHa5BsSyH+KxEqeQBAllHhccyMFVHtGtdMpF4W7IRWfZjFiQceJPChOeTsSDVUpER2T8FA93pr0L+QA==