Updates hashing method

2020-08-30 09:59:46 +02:00
parent 92eb813c32
commit f56bd6ab08
4 changed files with 56 additions and 90 deletions
--- a/packages/medusa/package.json
+++ b/packages/medusa/package.json
@@ -46,7 +46,6 @@
    "@babel/plugin-transform-classes": "^7.9.5",
    "@hapi/joi": "^16.1.8",
    "awilix": "^4.2.3",
-    "bcrypt": "^5.0.0",
    "body-parser": "^1.19.0",
    "bull": "^3.12.1",
    "chokidar": "^3.4.2",
@@ -72,6 +71,7 @@
    "randomatic": "^3.1.1",
    "redis": "^3.0.2",
    "resolve-cwd": "^3.0.0",
+    "scrypt": "^6.0.3",
    "winston": "^3.2.1"
  },
  "gitHead": "27d4e07c5251e43ba6be2d5fa35f1d5287b11043"
--- a/packages/medusa/src/services/auth.js
+++ b/packages/medusa/src/services/auth.js
@@ -1,4 +1,4 @@
-import bcrypt from "bcrypt"
+import { verifyKdf } from "scrypt"
 import { BaseService } from "medusa-interfaces"

 /**
@@ -16,6 +16,17 @@ class AuthService extends BaseService {
    this.customerService_ = customerService
  }

+  /**
+   * Verifies if a password is valid given the provided password hash
+   * @param {string} password - the raw password to check
+   * @param {string} hash - the hash to compare against
+   * @return {bool} the result of the comparison
+   */
+  async comparePassword_(password, hash) {
+    const buf = new Buffer(hash, "base64")
+    return verifyKdf(buf, password)
+  }
+
  /**
   * Authenticates a given user with an API token
   * @param {string} token - the api_token of the user to authenticate
@@ -45,7 +56,7 @@ class AuthService extends BaseService {

  /**
   * Authenticates a given user based on an email, password combination. Uses
-   * bcrypt to match password with hashed value.
+   * scrypt to match password with hashed value.
   * @param {string} email - the email of the user
   * @param {string} password - the password of the user
   * @return {{ success: (bool), user: (object | undefined) }}
@@ -56,7 +67,10 @@ class AuthService extends BaseService {
  async authenticate(email, password) {
    try {
      const user = await this.userService_.retrieveByEmail(email)
-      const passwordsMatch = await bcrypt.compare(password, user.password_hash)
+      const passwordsMatch = await this.comparePassword_(
+        password,
+        user.password_hash
+      )
      if (passwordsMatch) {
        return {
          success: true,
@@ -78,7 +92,7 @@ class AuthService extends BaseService {

  /**
   * Authenticates a customer based on an email, password combination. Uses
-   * bcrypt to match password with hashed value.
+   * scrypt to match password with hashed value.
   * @param {string} email - the email of the user
   * @param {string} password - the password of the user
   * @return {{ success: (bool), user: (object | undefined) }}
@@ -96,7 +110,7 @@ class AuthService extends BaseService {
        }
      }

-      const passwordsMatch = await bcrypt.compare(
+      const passwordsMatch = await this.comparePassword_(
        password,
        customer.password_hash
      )
--- a/packages/medusa/src/services/customer.js
+++ b/packages/medusa/src/services/customer.js
@@ -1,5 +1,5 @@
 import jwt from "jsonwebtoken"
-import bcrypt from "bcrypt"
+import { kdf } from "scrypt"
 import _ from "lodash"
 import { Validator, MedusaError } from "medusa-core-utils"
 import { BaseService } from "medusa-interfaces"
@@ -160,6 +160,16 @@ class CustomerService extends BaseService {
    return customer
  }

+  /**
+   * Hashes a password
+   * @param {string} password - the value to hash
+   * @return hashed password
+   */
+  async hashPassword_(password) {
+    const buf = await kdf(password, { N: 1, r: 1, p: 1 })
+    return buf.toString("base64")
+  }
+
  /**
   * Creates a customer from an email - customers can have accounts associated,
   * e.g. to login and view order history, etc. If a password is provided the
@@ -179,7 +189,7 @@ class CustomerService extends BaseService {
    const existing = await this.retrieveByEmail(email).catch(err => undefined)

    if (existing && password && !existing.has_account) {
-      const hashedPassword = await bcrypt.hash(password, 10)
+      const hashedPassword = await this.hashPassword_(password)
      customer.password_hash = hashedPassword
      customer.has_account = true
      delete customer.password
@@ -192,7 +202,7 @@ class CustomerService extends BaseService {
      )
    } else {
      if (password) {
-        const hashedPassword = await bcrypt.hash(password, 10)
+        const hashedPassword = await this.hashPassword_(password)
        customer.password_hash = hashedPassword
        customer.has_account = true
        delete customer.password
@@ -232,7 +242,7 @@ class CustomerService extends BaseService {
    }

    if (update.password) {
-      const hashedPassword = await bcrypt.hash(update.password, 10)
+      const hashedPassword = await this.hashPassword_(update.password)
      update.password_hash = hashedPassword
      update.has_account = true
      delete update.password
--- a/packages/medusa/yarn.lock
+++ b/packages/medusa/yarn.lock
@@ -1637,14 +1637,6 @@ bcrypt-pbkdf@^1.0.0:
  dependencies:
    tweetnacl "^0.14.3"

-bcrypt@^5.0.0:
-  version "5.0.0"
-  resolved "https://registry.yarnpkg.com/bcrypt/-/bcrypt-5.0.0.tgz#051407c7cd5ffbfb773d541ca3760ea0754e37e2"
-  integrity sha512-jB0yCBl4W/kVHM2whjfyqnxTmOHkCX4kHEa5nYKSoGeYe8YrjTYTc87/6bwt1g8cmV0QrbhKriETg9jWtcREhg==
-  dependencies:
-    node-addon-api "^3.0.0"
-    node-pre-gyp "0.15.0"
-
 binary-extensions@^1.0.0:
  version "1.13.1"
  resolved "https://registry.yarnpkg.com/binary-extensions/-/binary-extensions-1.13.1.tgz#598afe54755b2868a5330d2aff9d4ebb53209b65"
@@ -1965,13 +1957,6 @@ cli-width@^2.0.0:
  resolved "https://registry.yarnpkg.com/cli-width/-/cli-width-2.2.0.tgz#ff19ede8a9a5e579324147b0c11f0fbcbabed639"
  integrity sha1-/xnt6Kml5XkyQUewwR8PvLq+1jk=

-client-sessions@^0.8.0:
-  version "0.8.0"
-  resolved "https://registry.yarnpkg.com/client-sessions/-/client-sessions-0.8.0.tgz#a7d8c5558ad5d56f2a199f3533eb654b5df893fd"
-  integrity sha1-p9jFVYrV1W8qGZ81M+tlS134k/0=
-  dependencies:
-    cookies "^0.7.0"
-
 cliui@^6.0.0:
  version "6.0.0"
  resolved "https://registry.yarnpkg.com/cliui/-/cliui-6.0.0.tgz#511d702c0c4e41ca156d7d0e96021f23e13225b1"
@@ -2178,14 +2163,6 @@ cookiejar@^2.1.0:
  resolved "https://registry.yarnpkg.com/cookiejar/-/cookiejar-2.1.2.tgz#dd8a235530752f988f9a0844f3fc589e3111125c"
  integrity sha512-Mw+adcfzPxcPeI+0WlvRrr/3lGVO0bD75SxX6811cxSh1Wbxx7xZBGK1eVtDf6si8rg2lhnUjsVLMFMfbRIuwA==

-cookies@^0.7.0:
-  version "0.7.3"
-  resolved "https://registry.yarnpkg.com/cookies/-/cookies-0.7.3.tgz#7912ce21fbf2e8c2da70cf1c3f351aecf59dadfa"
-  integrity sha512-+gixgxYSgQLTaTIilDHAdlNPZDENDQernEMiIcZpYYP14zgHsCt4Ce1FEjFtcp6GefhozebB6orvhAAWx/IS0A==
-  dependencies:
-    depd "~1.1.2"
-    keygrip "~1.0.3"
-
 copy-descriptor@^0.1.0:
  version "0.1.1"
  resolved "https://registry.yarnpkg.com/copy-descriptor/-/copy-descriptor-0.1.1.tgz#676f6eb3c39997c2ee1ac3a924fd6124748f578d"
@@ -4363,11 +4340,6 @@ kareem@2.3.1:
  resolved "https://registry.yarnpkg.com/kareem/-/kareem-2.3.1.tgz#def12d9c941017fabfb00f873af95e9c99e1be87"
  integrity sha512-l3hLhffs9zqoDe8zjmb/mAN4B8VT3L56EUvKNqLFVs9YlFA+zx7ke1DO8STAdDyYNkeSo1nKmjuvQeI12So8Xw==

-keygrip@~1.0.3:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/keygrip/-/keygrip-1.0.3.tgz#399d709f0aed2bab0a059e0cdd3a5023a053e1dc"
-  integrity sha512-/PpesirAIfaklxUzp4Yb7xBper9MwP6hNRA6BGGUFCgbJ+BM5CKBtsoxinNXkLHAr+GXS1/lSlF2rP7cv5Fl+g==
-
 kind-of@^3.0.2, kind-of@^3.0.3, kind-of@^3.2.0:
  version "3.2.2"
  resolved "https://registry.yarnpkg.com/kind-of/-/kind-of-3.2.2.tgz#31ea21a734bab9bbb0f32466d893aea51e4a3c64"
@@ -4593,21 +4565,21 @@ media-typer@0.3.0:
  resolved "https://registry.yarnpkg.com/media-typer/-/media-typer-0.3.0.tgz#8710d7af0aa626f8fffa1ce00168545263255748"
  integrity sha1-hxDXrwqmJvj/+hzgAWhUUmMlV0g=

-medusa-core-utils@^1.0.0-alpha.3:
-  version "1.0.0-alpha.3"
-  resolved "https://registry.yarnpkg.com/medusa-core-utils/-/medusa-core-utils-1.0.0-alpha.3.tgz#68b6deb315cceab71c1b859da3f97d8e7a2c1d38"
-  integrity sha512-h1Qkvy682M+ZZRDAFAhKn5i3RBXfDBl0aufaRwvTrj5aXkENUXxaLyKFUKvlX3zJLvq93Xqp/Ey48AZZyqfQpA==
+medusa-core-utils@^1.0.0-alpha.30:
+  version "1.0.0-alpha.30"
+  resolved "https://registry.yarnpkg.com/medusa-core-utils/-/medusa-core-utils-1.0.0-alpha.30.tgz#4ff3c1c8202486a8aa14989c8bcca0d981eb4fdc"
+  integrity sha512-SVcX4/GLm3NntFQzHKALaXi3sQ8PP1eZGXUb6yQEiFnnap0otI37sQCIC+nAw6v14VnGNkoWeVcENti+jSrzVA==
  dependencies:
    "@hapi/joi" "^16.1.8"
    joi-objectid "^3.0.1"

-medusa-test-utils@^1.0.0-alpha.3:
-  version "1.0.0-alpha.3"
-  resolved "https://registry.yarnpkg.com/medusa-test-utils/-/medusa-test-utils-1.0.0-alpha.3.tgz#162995e11f96a7fc02d0863fa6a11f511926979e"
-  integrity sha512-d8A9vq8S0Dlt/HlbSHUTEbrlCA6gQAzAU43MjsZqqe5PHKBZs8D5ZPnjINBJXz/jxLiJNXu8sTkK+4fQwRKBCA==
+medusa-test-utils@^1.0.0-alpha.30:
+  version "1.0.0-alpha.30"
+  resolved "https://registry.yarnpkg.com/medusa-test-utils/-/medusa-test-utils-1.0.0-alpha.30.tgz#2a32b5d5d00993d931cd12a5fa42316c01731e41"
+  integrity sha512-xPPnpLNGSB2eVHxWBRwztPvuIqi6E26QUpRICKzbZ7H3XwsP9G62NTa/TJDrLYmY3232sXeWGZNmOlPZWbQcGw==
  dependencies:
    "@babel/plugin-transform-classes" "^7.9.5"
-    medusa-core-utils "^1.0.0-alpha.3"
+    medusa-core-utils "^1.0.0-alpha.30"
    mongoose "^5.8.0"

 memory-pager@^1.0.2:
@@ -4696,11 +4668,6 @@ minimist@^1.1.1, minimist@^1.2.0:
  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.0.tgz#a35008b20f41383eec1fb914f4cd5df79a264284"
  integrity sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=

-minimist@^1.2.5:
-  version "1.2.5"
-  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.5.tgz#67d66014b66a6a8aaa0c083c5fd58df4e4e97602"
-  integrity sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==
-
 minipass@^2.6.0, minipass@^2.8.6, minipass@^2.9.0:
  version "2.9.0"
  resolved "https://registry.yarnpkg.com/minipass/-/minipass-2.9.0.tgz#e713762e7d3e32fed803115cf93e04bca9fcc9a6"
@@ -4731,13 +4698,6 @@ mkdirp@^0.5.0, mkdirp@^0.5.1:
  dependencies:
    minimist "0.0.8"

-mkdirp@^0.5.3:
-  version "0.5.5"
-  resolved "https://registry.yarnpkg.com/mkdirp/-/mkdirp-0.5.5.tgz#d91cefd62d1436ca0f41620e251288d420099def"
-  integrity sha512-NKmAlESf6jMGym1++R0Ra7wvhV+wFW63FaSOFPwRahvea0gMUcGUhVeAg/0BC0wiv9ih5NYPB1Wn1UEI1/L+xQ==
-  dependencies:
-    minimist "^1.2.5"
-
 moment-timezone@^0.5.25:
  version "0.5.27"
  resolved "https://registry.yarnpkg.com/moment-timezone/-/moment-timezone-0.5.27.tgz#73adec8139b6fe30452e78f210f27b1f346b8877"
@@ -4844,6 +4804,11 @@ mute-stream@0.0.8:
  resolved "https://registry.yarnpkg.com/mute-stream/-/mute-stream-0.0.8.tgz#1630c42b2251ff81e2a283de96a5497ea92e5e0d"
  integrity sha512-nnbWWOkoWyUsTjKrhgD0dcz22mdkSnpYqbEjIm2nhwhuxlSkpywJmBo8h0ZqJdkp73mb90SssHkN4rsRaBAfAA==

+nan@^2.0.8:
+  version "2.14.1"
+  resolved "https://registry.yarnpkg.com/nan/-/nan-2.14.1.tgz#d7be34dfa3105b91494c3147089315eff8874b01"
+  integrity sha512-isWHgVjnFjh2x2yuJ/tj3JbwoHu3UC2dX5G/88Cm24yB6YopVgxvBObDY7n5xW6ExmFhJpSEQqFPvq9zaXc8Jw==
+
 nan@^2.12.1:
  version "2.14.0"
  resolved "https://registry.yarnpkg.com/nan/-/nan-2.14.0.tgz#7818f722027b2459a86f0295d434d1fc2336c52c"
@@ -4880,15 +4845,6 @@ needle@^2.2.1:
    iconv-lite "^0.4.4"
    sax "^1.2.4"

-needle@^2.5.0:
-  version "2.5.0"
-  resolved "https://registry.yarnpkg.com/needle/-/needle-2.5.0.tgz#e6fc4b3cc6c25caed7554bd613a5cf0bac8c31c0"
-  integrity sha512-o/qITSDR0JCyCKEQ1/1bnUXMmznxabbwi/Y4WwJElf+evwJNFNwIDMCCt5IigFVxgeGBJESLohGtIS9gEzo1fA==
-  dependencies:
-    debug "^3.2.6"
-    iconv-lite "^0.4.4"
-    sax "^1.2.4"
-
 negotiator@0.6.2:
  version "0.6.2"
  resolved "https://registry.yarnpkg.com/negotiator/-/negotiator-0.6.2.tgz#feacf7ccf525a77ae9634436a64883ffeca346fb"
@@ -4906,11 +4862,6 @@ no-case@^2.2.0:
  dependencies:
    lower-case "^1.1.1"

-node-addon-api@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/node-addon-api/-/node-addon-api-3.0.0.tgz#812446a1001a54f71663bed188314bba07e09247"
-  integrity sha512-sSHCgWfJ+Lui/u+0msF3oyCgvdkhxDbkCS6Q8uiJquzOimkJBvX6hl5aSSA7DR1XbMpdM8r7phjcF63sF4rkKg==
-
 node-environment-flags@^1.0.5:
  version "1.0.6"
  resolved "https://registry.yarnpkg.com/node-environment-flags/-/node-environment-flags-1.0.6.tgz#a30ac13621f6f7d674260a54dede048c3982c088"
@@ -4940,22 +4891,6 @@ node-notifier@^6.0.0:
    shellwords "^0.1.1"
    which "^1.3.1"

-node-pre-gyp@0.15.0:
-  version "0.15.0"
-  resolved "https://registry.yarnpkg.com/node-pre-gyp/-/node-pre-gyp-0.15.0.tgz#c2fc383276b74c7ffa842925241553e8b40f1087"
-  integrity sha512-7QcZa8/fpaU/BKenjcaeFF9hLz2+7S9AqyXFhlH/rilsQ/hPZKK32RtR5EQHJElgu+q5RfbJ34KriI79UWaorA==
-  dependencies:
-    detect-libc "^1.0.2"
-    mkdirp "^0.5.3"
-    needle "^2.5.0"
-    nopt "^4.0.1"
-    npm-packlist "^1.1.6"
-    npmlog "^4.0.2"
-    rc "^1.2.7"
-    rimraf "^2.6.1"
-    semver "^5.3.0"
-    tar "^4.4.2"
-
 node-pre-gyp@^0.12.0:
  version "0.12.0"
  resolved "https://registry.yarnpkg.com/node-pre-gyp/-/node-pre-gyp-0.12.0.tgz#39ba4bb1439da030295f899e3b520b7785766149"
@@ -6031,6 +5966,13 @@ saxes@^3.1.9:
  dependencies:
    xmlchars "^2.1.1"

+scrypt@^6.0.3:
+  version "6.0.3"
+  resolved "https://registry.yarnpkg.com/scrypt/-/scrypt-6.0.3.tgz#04e014a5682b53fa50c2d5cce167d719c06d870d"
+  integrity sha1-BOAUpWgrU/pQwtXM4WfXGcBthw0=
+  dependencies:
+    nan "^2.0.8"
+
 semver-diff@^2.0.0:
  version "2.1.0"
  resolved "https://registry.yarnpkg.com/semver-diff/-/semver-diff-2.1.0.tgz#4bbb8437c8d37e4b0cf1a68fd726ec6d645d6d36"
@@ -6531,7 +6473,7 @@ table@^5.2.3:
    slice-ansi "^2.1.0"
    string-width "^3.0.0"

-tar@^4, tar@^4.4.2:
+tar@^4:
  version "4.4.13"
  resolved "https://registry.yarnpkg.com/tar/-/tar-4.4.13.tgz#43b364bc52888d555298637b10d60790254ab525"
  integrity sha512-w2VwSrBoHa5BsSyH+KxEqeQBAllHhccyMFVHtGtdMpF4W7IRWfZjFiQceJPChOeTsSDVUpER2T8FA93pr0L+QA==