mirrors/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-05-21 18:55:19 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

fix(auth): use sha-512 for auth tokens

Browse source 
Bcrypt hashes are too slow to be validated on every request.
As our tokens are random and have a fixed length, it is reasonable
to use SHA-512 instead.

SHA-512 is recommended as cryptographically strong by the BSI:
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile

Fixes https://github.com/hedgedoc/hedgedoc/issues/1881

Signed-off-by: David Mehren <git@herrmehren.de>
This commit is contained in:
David Mehren 2021-12-09 23:04:00 +01:00
parent f4a7a5ed2d
commit b4a65b47f0
No known key found for this signature in database
GPG key ID: 185982BA4C42B7C3
3 changed files with 37 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

16
src/auth/auth.service.spec.ts
View file

@ -7,6 +7,7 @@ import { ConfigModule } from '@nestjs/config';
import { PassportModule } from '@nestjs/passport';
import { Test, TestingModule } from '@nestjs/testing';
import { getRepositoryToken } from '@nestjs/typeorm';
import crypto from 'crypto';
import { Repository } from 'typeorm';
import appConfigMock from '../config/mock/app.config.mock';
@ -86,7 +87,10 @@ describe('AuthService', () => {
describe('getAuthToken', () => {
const token = 'testToken';
it('works', async () => {
const accessTokenHash = await hashPassword(token);
const accessTokenHash = crypto
.createHash('sha512')
.update(token)
.digest('hex');
jest.spyOn(authTokenRepo, 'findOne').mockResolvedValueOnce({
...authToken,
user: user,
@ -162,8 +166,12 @@ describe('AuthService', () => {
describe('validateToken', () => {
it('works', async () => {
const token = 'testToken';
const accessTokenHash = await hashPassword(token);
const testSecret =
'gNrv_NJ4FHZ0UFZJQu_q_3i3-GP_d6tELVtkYiMFLkLWNl_dxEmPVAsCNKxP3N3DB9aGBVFYE1iptvw7hFMJvA';
const accessTokenHash = crypto
.createHash('sha512')
.update(testSecret)
.digest('hex');
jest.spyOn(userRepo, 'findOne').mockResolvedValueOnce({
...user,
authTokens: [authToken],
@ -179,7 +187,7 @@ describe('AuthService', () => {
return authToken;
});
const userByToken = await service.validateToken(
`${authToken.keyId}.${token}`,
`${authToken.keyId}.${testSecret}`,
);
expect(userByToken).toEqual({
...user,