Ryan/drop
1
0
Fork 0
mirror of https://github.com/Drop-OSS/drop.git synced 2025-11-13 08:12:40 +10:00
Code Issues Packages Projects Releases Wiki Activity

refactor: use hash directly in authmek and version field on authmek

Browse Source
This commit is contained in:
DecDuck
2025-03-24 12:50:21 +11:00
parent cb4937b590
commit 1996b97e99
5 changed files with 30 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
prisma/migrations/20250324014736_add_auth_mek_version/migration.sql Normal file
View File

@ -0,0 +1,2 @@
-- AlterTable
ALTER TABLE "LinkedAuthMec" ADD COLUMN "version" INTEGER NOT NULL DEFAULT 1;

1
prisma/schema/auth.prisma
View File

@ -7,6 +7,7 @@ model LinkedAuthMec {
mec AuthMec mec AuthMec
enabled Boolean @default(true) enabled Boolean @default(true)
version Int @default(1)
credentials Json credentials Json
user User @relation(fields: [userId], references: [id]) user User @relation(fields: [userId], references: [id])

54
server/api/v1/auth/signin/simple.post.ts
View File

@ -5,7 +5,6 @@ import prisma from "~/server/internal/db/database";
import { import {
checkHashArgon2, checkHashArgon2,
checkHashBcrypt, checkHashBcrypt,
simpleAuth,
} from "~/server/internal/security/simple"; } from "~/server/internal/security/simple";
import sessionHandler from "~/server/internal/session"; import sessionHandler from "~/server/internal/session";
@ -43,16 +42,18 @@ export default defineEventHandler(async (h3) => {
statusCode: 401, statusCode: 401,
statusMessage: "Invalid username or password.", statusMessage: "Invalid username or password.",
}); });
else if (!authMek.user.enabled)
if (!authMek.user.enabled)
throw createError({ throw createError({
statusCode: 403, statusCode: 403,
statusMessage: statusMessage:
"Invalid or disabled account. Please contact the server administrator.", "Invalid or disabled account. Please contact the server administrator.",
}); });
// if using old auth schema // LEGACY bcrypt
if (Array.isArray(authMek.credentials)) { if (authMek.version == 1) {
const hash = authMek.credentials.at(1)?.toString(); const credentials = authMek.credentials as JsonArray | null;
const hash = credentials?.at(1)?.toString();
if (!hash) if (!hash)
throw createError({ throw createError({
@ -69,30 +70,25 @@ export default defineEventHandler(async (h3) => {
// TODO: send user to forgot password screen or something to force them to change their password to new system // TODO: send user to forgot password screen or something to force them to change their password to new system
await sessionHandler.setUserId(h3, authMek.userId, rememberMe); await sessionHandler.setUserId(h3, authMek.userId, rememberMe);
return { result: true, userId: authMek.userId };
} else {
// using new (modern) login flow
const creds = simpleAuth(authMek.credentials);
if (creds instanceof type.errors) {
// hover out.summary to see validation errors
console.error(creds.summary);
throw createError({
statusCode: 403,
statusMessage:
"Invalid password state. Please contact the server administrator.",
});
}
if (!(await checkHashArgon2(password, creds.password)))
throw createError({
statusCode: 401,
statusMessage: "Invalid username or password.",
});
await sessionHandler.setUserId(h3, authMek.userId, rememberMe);
return { result: true, userId: authMek.userId }; return { result: true, userId: authMek.userId };
} }
// V2: argon2
const hash = authMek.credentials as string | undefined;
if (!hash || typeof hash !== "string")
throw createError({
statusCode: 500,
statusMessage:
"Invalid password state. Please contact the server administrator.",
});
if (!(await checkHashArgon2(password, hash)))
throw createError({
statusCode: 401,
statusMessage: "Invalid username or password.",
});
await sessionHandler.setUserId(h3, authMek.userId, rememberMe);
return { result: true, userId: authMek.userId };
}); });

11
server/api/v1/auth/signup/simple.post.ts
View File

@ -2,8 +2,6 @@ import { AuthMec, Invitation } from "@prisma/client";
import prisma from "~/server/internal/db/database"; import prisma from "~/server/internal/db/database";
import { import {
createHashArgon2, createHashArgon2,
simpleAuth,
SimpleAuthType,
} from "~/server/internal/security/simple"; } from "~/server/internal/security/simple";
import { v4 as uuidv4 } from "uuid"; import { v4 as uuidv4 } from "uuid";
import * as jdenticon from "jdenticon"; import * as jdenticon from "jdenticon";
@ -70,17 +68,12 @@ export default defineEventHandler(async (h3) => {
{}, {},
[`internal:read`, `${userId}:write`] [`internal:read`, `${userId}:write`]
); );
const creds: SimpleAuthType = {
version: "v1.0.0",
password: await createHashArgon2(user.password),
};
const [linkMec] = await prisma.$transaction([ const [linkMec] = await prisma.$transaction([
prisma.linkedAuthMec.create({ prisma.linkedAuthMec.create({
data: { data: {
mec: AuthMec.Simple, mec: AuthMec.Simple,
credentials: creds, credentials: await createHashArgon2(user.password),
version: 2,
user: { user: {
create: { create: {
id: userId, id: userId,

7
server/internal/security/simple.ts
View File

@ -2,13 +2,6 @@ import bcrypt from "bcryptjs";
import * as argon2 from "argon2"; import * as argon2 from "argon2";
import { type } from "arktype"; import { type } from "arktype";
export const simpleAuth = type({
version: "string.semver",
password: "string",
});
export type SimpleAuthType = typeof simpleAuth.infer;
export async function checkHashBcrypt(password: string, hash: string) { export async function checkHashBcrypt(password: string, hash: string) {
return await bcrypt.compare(password, hash); return await bcrypt.compare(password, hash);
} }