From cf1b40542c41b3c78e83650e4e73e596c85ff160 Mon Sep 17 00:00:00 2001 From: Jannik Schönartz Date: Tue, 26 Feb 2019 02:46:36 +0000 Subject: [account] Fix for the changePassword method User upadate changes didn't hashed the new password correctly changePassword from promises reworked to async / await (much cleaner) Check weather the usertable is empty is now a get request and not mixed in the post request --- server/lib/authentication.js | 68 +++++++++++++++++++++++++------------------- 1 file changed, 38 insertions(+), 30 deletions(-) (limited to 'server/lib/authentication.js') diff --git a/server/lib/authentication.js b/server/lib/authentication.js index b9c87d1..9a91850 100644 --- a/server/lib/authentication.js +++ b/server/lib/authentication.js @@ -54,11 +54,15 @@ async function signup (req, res) { var userPassword = Buffer.from(params.password) // Register user - const hash = await pwd.hash(userPassword) - // if (err) return res.status(500).send({ auth: false, status: 'PASSWORD_HASH_ERROR', error_message: 'Hashing the password failed.' }) + try { + var hash = await pwd.hash(userPassword) + } catch (error) { + return res.status(500).send({ auth: false, status: 'PASSWORD_HASH_ERROR', error_message: 'Hashing the password failed.' }) + } // Saving the non improved hash and creating the user in the db. const newUser = await db.user.create({ username: params.username, password: hash, email: params.email, name: params.name }) + // TODO: Username could also be used because those are unique as well. var userId = newUser.id @@ -77,34 +81,38 @@ function logout (req, res) { // Maybe use express-jwt and use the rewoke function. } -function changePassword (req, res) { - // Check if the new password is different. - if (req.body.passwordCurrent === req.body.passwordNew) return res.status(500).send({ auth: false, status: 'PASSWORD_ERROR', error_message: 'The provided password must be different than the old password.' }) - +async function changePassword (req, res) { // 1. Get the user and verify it's existence. - db.user.findOne({ where: { id: req.params.id } }).then(user => { - if (user) { - const pwCurrent = Buffer.from(req.body.passwordCurrent) - const pwNew = Buffer.from(req.body.passwordNew) - // 2. Verify the current hast with the provided current password. - verifyHash(res, pwCurrent, Buffer.from(user.password), user.id, () => { - // 3. Check if the new provided password fullfills the requirements - if (validatePassword(req.body.passwordNew)) { - // 4. Calculate the new password hash. - pwd.hash(pwNew, (err, hash) => { - if (err) return res.status(500).send({ auth: false, status: 'PASSWORD_HASH_ERROR', error_message: 'Hashing the password failed.' }) - // 5. Write the hash in the db - user.update({ password: hash }).then(() => { - // 6. Verify & improving the hash. - verifyHash(res, pwNew, hash, user.id, () => { - res.status(200).send({ auth: true, status: 'VALID' }) - }) - }) - }) - } else res.send({ status: 'PASSWORD_REQUIREMENTS', error_message: 'The provided password doesn\'t fullfill the requirements' }) - }) - } else res.send({ status: 'INVALID_USER', error_message: 'There is no user with the provided id.' }) - }) + let user = await db.user.findOne({ where: { id: req.params.id } }) + if (!user) return res.send({ status: 'INVALID_USER', error_message: 'There is no user with the provided id.' }) + + const pwNew = Buffer.from(req.body.password) + + // 2. Only if the current password is set we have to check if it's valid. + // This is because root can set passwords witout having the old ones. + // But the authentication if you can call this function without the currentPasswords needs to be in the API. + if (req.body.passwordCurrent) { + // Verify the current hast with the provided current password. + const pwCurrent = Buffer.from(req.body.passwordCurrent) + await verifyHash(res, pwCurrent, Buffer.from(user.password), user.id) + } + + // 3. Check if the new provided password fullfills the requirements + if (!validatePassword(req.body.password)) return res.send({ status: 'PASSWORD_REQUIREMENTS', error_message: 'The provided password doesn\'t fullfill the requirements' }) + + // 4. Calculate the new password hash. + try { + var hash = await pwd.hash(pwNew) + } catch (error) { + return res.status(500).send({ auth: false, status: 'PASSWORD_HASH_ERROR', error_message: 'Hashing the password failed.' }) + } + + // 5. Write the hash in the dbW + await user.update({ password: hash }) + + // 6. Verify & improving the hash. + await verifyHash(res, pwNew, hash, user.id) + res.status(200).send({ auth: true, status: 'VALID' }) } // Middleware function. @@ -185,7 +193,7 @@ function verifyUser (res, username, password, callback) { } // The verify hash function from the secure-passwords with error handling. -function verifyHash (res, password, hash, userId, callback) { +function verifyHash (res, password, hash, userId, callback = () => {}) { // Check if the hash in the database fullfills the requirements needed for pwd.verify. // Hash will be a Buffer of length SecurePassword.HASH_BYTES. if (hash.length !== securePassword.HASH_BYTES) return res.status(401).send({ auth: false, status: 'DATABASE_HASH_INVALID', error_message: 'The hash in the database is corrupted.' }) -- cgit v1.2.3-55-g7522