6245d1eabd
bcrypt with a fixed salt is deterministic but defeats the purpose of bcrypt salting. API keys are high-entropy UUIDs (128 bits), making brute-force resistance unnecessary — HMAC-SHA256 with the app secret is the correct primitive for deterministic, secure key hashing. Also fixes application.author.id → application.authorId in the API key auth path, which was silently setting req.payload.id to undefined.
21 lines
857 B
JavaScript
21 lines
857 B
JavaScript
var secret = require('.').secret;
|
|
const crypto = require('crypto');
|
|
const passport = require('passport');
|
|
var HeaderAPIKeyStrategy = require('passport-headerapikey').HeaderAPIKeyStrategy;
|
|
const DB = require('../database/mysql');
|
|
|
|
passport.use('headerapikey', new HeaderAPIKeyStrategy(
|
|
{ header: 'Authorization', prefix: `${process.env.AUTHORIZATION_PREFIX} ` },
|
|
false,
|
|
function (apikey, done) {
|
|
const encryptedKey = crypto.createHmac('sha256', secret).update(apikey).digest('hex');
|
|
DB.Application.findOne({ where: { apikey: encryptedKey } })
|
|
.then(function (application) {
|
|
if (!application) {
|
|
return done({ message: "Application can't be found.", status: 404 }, false, false);
|
|
}
|
|
return done(null, application);
|
|
}).catch(done);
|
|
}
|
|
));
|