Use argon2 for password hashing

PR-URL: #855
metarhia · Jul 25, 2018 · 1fcac69 · 1fcac69
1 parent f2fa99d
commit 1fcac69
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 23 deletions.
diff --git a/lib/api.registry.js b/lib/api.registry.js
@@ -77,8 +77,9 @@ api.registry.modules = {
   test: { type: 'impress', default: true },
   json: { type: 'global', default: true },
   definition: { type: 'impress', default: true },
-  db: { type: 'impress', default: true }
+  db: { type: 'impress', default: true },
 
+  argon2: { npm: 'argon2', type: 'npm', default: true },
 };
 
 api.registry.buildIndex = (

diff --git a/lib/security.js b/lib/security.js
@@ -75,15 +75,13 @@ const mixin = (application) => {
 
   security.hash = (
     // Calculate password hash
-    password // string
-    // Returns: hash string
+    password, // string
+    callback // function(err, hash)
   ) => {
-    const salt = application.config.sessions.secret;
-    const result = api.crypto
-      .createHmac('sha512', salt)
-      .update(password)
-      .digest('latin1');
-    return result;
+    api.argon2
+      .hash(password, { type: api.argon2.argon2id })
+      .then(hash => callback(null, hash))
+      .catch(error => callback(error));
   };
 
   security.signIn = (
@@ -96,9 +94,17 @@ const mixin = (application) => {
         callback(new Error(AUTH_ERROR));
         return;
       }
-      const passwordHash = security.hash(password);
-      if (passwordHash === user.password) callback(null, user);
-      else callback(new Error(AUTH_ERROR));
+
+      api.argon2
+        .verify(user.password, password)
+        .then(matches => {
+          if (!matches) {
+            callback(new Error(AUTH_ERROR));
+            return;
+          }
+          callback(null, user);
+        })
+        .catch(error => callback(error));
     });
   };
 
@@ -128,19 +134,24 @@ const mixin = (application) => {
     password, // string
     callback // function(err, user)
   ) => {
-    const passwordHash = security.hash(password);
-    security.getUser(login, (err, user) => {
-      if (user) {
-        callback(new Error('Login already registered'), user);
+    security.hash(password, (error, hash) => {
+      if (error) {
+        callback(error);
         return;
       }
-      const record = {
-        category: 'Users', login, password: passwordHash, group: 'users'
-      };
-      application.databases.security.create(record, (err) => {
-        let user;
-        if (!err) user = security.user(record);
-        callback(err, user);
+      security.getUser(login, (err, user) => {
+        if (user) {
+          callback(new Error('Login already registered'), user);
+          return;
+        }
+        const record = {
+          category: 'Users', login, password: hash, group: 'users'
+        };
+        application.databases.security.create(record, (err) => {
+          let user;
+          if (!err) user = security.user(record);
+          callback(err, user);
+        });
       });
     });
   };

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -50,6 +50,7 @@
   },
   "dependencies": {
     "accept-language": "^3.0.18",
+    "argon2": "^0.19.3",
     "concolor": "^0.1.8",
     "csv": "^2.0.0",
     "globalstorage": "^0.2.5",