fix(auth): replace fixed-salt bcrypt with HMAC-SHA256 for API key hashing
bcrypt with a fixed salt is deterministic but defeats the purpose of bcrypt salting. API keys are high-entropy UUIDs (128 bits), making brute-force resistance unnecessary — HMAC-SHA256 with the app secret is the correct primitive for deterministic, secure key hashing. Also fixes application.author.id → application.authorId in the API key auth path, which was silently setting req.payload.id to undefined.
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
var secret = require('.').secret,
|
||||
bcrypt = require('bcrypt');
|
||||
var secret = require('.').secret;
|
||||
const crypto = require('crypto');
|
||||
const passport = require('passport');
|
||||
var HeaderAPIKeyStrategy = require('passport-headerapikey').HeaderAPIKeyStrategy;
|
||||
const DB = require('../database/mysql');
|
||||
@@ -8,15 +8,13 @@ passport.use('headerapikey', new HeaderAPIKeyStrategy(
|
||||
{ header: 'Authorization', prefix: `${process.env.AUTHORIZATION_PREFIX} ` },
|
||||
false,
|
||||
function (apikey, done) {
|
||||
const salt = secret;
|
||||
Promise.resolve(bcrypt.hash(apikey, salt)).then(function (encryptedKey) {
|
||||
DB.Application.findOne({ where: { apikey: encryptedKey } })
|
||||
.then(function (application) {
|
||||
if (!application) {
|
||||
return done({ message: "Application can't be found.", status: 404 }, false, false);
|
||||
}
|
||||
return done(null, application);
|
||||
});
|
||||
}).catch(done);
|
||||
const encryptedKey = crypto.createHmac('sha256', secret).update(apikey).digest('hex');
|
||||
DB.Application.findOne({ where: { apikey: encryptedKey } })
|
||||
.then(function (application) {
|
||||
if (!application) {
|
||||
return done({ message: "Application can't be found.", status: 404 }, false, false);
|
||||
}
|
||||
return done(null, application);
|
||||
}).catch(done);
|
||||
}
|
||||
));
|
||||
|
||||
Reference in New Issue
Block a user