From dc52209c286a8841487209210215b677bbdb48eb Mon Sep 17 00:00:00 2001 From: Insert5StarName Date: Wed, 27 Sep 2023 21:30:24 +0200 Subject: [PATCH] upd: rehash misskey passwords --- .../src/server/api/SigninApiService.ts | 23 +++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/packages/backend/src/server/api/SigninApiService.ts b/packages/backend/src/server/api/SigninApiService.ts index ef6411250f..687913731c 100644 --- a/packages/backend/src/server/api/SigninApiService.ts +++ b/packages/backend/src/server/api/SigninApiService.ts @@ -6,6 +6,7 @@ import { Inject, Injectable } from '@nestjs/common'; //import bcrypt from 'bcryptjs'; import * as argon2 from 'argon2'; +import bcrypt from "bcryptjs"; import * as OTPAuth from 'otpauth'; import { IsNull } from 'typeorm'; import { DI } from '@/di-symbols.js'; @@ -25,7 +26,22 @@ import { RateLimiterService } from './RateLimiterService.js'; import { SigninService } from './SigninService.js'; import type { AuthenticationResponseJSON } from '@simplewebauthn/typescript-types'; import type { FastifyReply, FastifyRequest } from 'fastify'; +async function hashPassword(password: string): Promise { + return argon2.hash(password); +} +async function comparePassword( + password: string, + hash: string, +): Promise { + if (isOldAlgorithm(hash)) return bcrypt.compare(password, hash); + return argon2.verify(hash, password); +} + +function isOldAlgorithm(hash: string): boolean { + // bcrypt hashes start with $2[ab]$ + return hash.startsWith("$2"); +} @Injectable() export class SigninApiService { constructor( @@ -124,8 +140,11 @@ export class SigninApiService { const profile = await this.userProfilesRepository.findOneByOrFail({ userId: user.id }); // Compare password - const same = await argon2.verify(profile.password!, password); - + const same = await comparePassword(password, profile.password!); + if (same && isOldAlgorithm(profile.password!)) { + profile.password = await hashPassword(password); + await this.userProfilesRepository.save(profile); + } const fail = async (status?: number, failure?: { id: string }) => { // Append signin history await this.signinsRepository.insert({