MyFavMirrors/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2025-01-11 15:03:20 -05:00
Code Issues Packages Projects Releases Wiki Activity

Added automatic password hashing upgrade.

Browse Source
This commit is contained in:
Ylian Saint-Hilaire 2017-11-02 18:53:27 -07:00
parent c0d0166184
commit 0efc531558
1 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
webserver.js
View File

@ -42,8 +42,6 @@ module.exports.CreateWebServer = function (parent, db, args, secret, certificate
obj.net = require('net'); obj.net = require('net');
obj.tls = require('tls'); obj.tls = require('tls');
obj.path = require('path'); obj.path = require('path');
obj.hash = require('./pass').hash;
obj.hash2 = require('./pass').hash2;
obj.constants = require('constants'); obj.constants = require('constants');
obj.bodyParser = require('body-parser'); obj.bodyParser = require('body-parser');
obj.session = require('express-session'); obj.session = require('express-session');
@ -178,14 +176,18 @@ module.exports.CreateWebServer = function (parent, db, args, secret, certificate
} else { } else {
if (user.passtype != null) { if (user.passtype != null) {
// IIS default clear or weak password hashing (SHA-1) // IIS default clear or weak password hashing (SHA-1)
obj.iishash(user.passtype, pass, user.salt, function (err, hash) { require('./pass').iishash(user.passtype, pass, user.salt, function (err, hash) {
if (err) return fn(err); if (err) return fn(err);
if (hash == user.hash) return fn(null, user._id); if (hash == user.hash) {
// Update the password to the stronger format.
require('./pass').hash(pass, function (err, salt, hash) { if (err) throw err; user.salt = salt; user.hash = hash; delete user.passtype; obj.db.SetUser(user); });
return fn(null, user._id);
}
fn(new Error('invalid password'), null, user.passhint); fn(new Error('invalid password'), null, user.passhint);
}); });
} else { } else {
// Default strong password hashing // Default strong password hashing (pbkdf2 SHA384)
obj.hash(pass, user.salt, function (err, hash) { require('./pass').hash(pass, user.salt, function (err, hash) {
if (err) return fn(err); if (err) return fn(err);
if (hash == user.hash) return fn(null, user._id); if (hash == user.hash) return fn(null, user._id);
fn(new Error('invalid password'), null, user.passhint); fn(new Error('invalid password'), null, user.passhint);
@ -341,7 +343,7 @@ module.exports.CreateWebServer = function (parent, db, args, secret, certificate
req.session.userid = user._id; req.session.userid = user._id;
req.session.domainid = domain.id; req.session.domainid = domain.id;
// Create a user, generate a salt and hash the password // Create a user, generate a salt and hash the password
obj.hash(req.body.password1, function (err, salt, hash) { require('./pass').hash(req.body.password1, function (err, salt, hash) {
if (err) throw err; if (err) throw err;
user.salt = salt; user.salt = salt;
user.hash = hash; user.hash = hash;
@ -383,7 +385,7 @@ module.exports.CreateWebServer = function (parent, db, args, secret, certificate
if (!req.session || !req.session.userid || !req.body.apassword1 || (req.body.apassword1 != req.body.apassword2) || (req.session.domainid != domain.id)) { res.redirect(domain.url); return; } if (!req.session || !req.session.userid || !req.body.apassword1 || (req.body.apassword1 != req.body.apassword2) || (req.session.domainid != domain.id)) { res.redirect(domain.url); return; }
// Update the password // Update the password
obj.hash(req.body.apassword1, function (err, salt, hash) { require('./pass').hash(req.body.apassword1, function (err, salt, hash) {
if (err) throw err; if (err) throw err;
var hint = req.body.apasswordhint; var hint = req.body.apasswordhint;
if (hint.length > 250) hint = hint.substring(0, 250); if (hint.length > 250) hint = hint.substring(0, 250);