Files
adastra_api/src/config/passport-headerapikey.js
T
julien 6245d1eabd fix(auth): replace fixed-salt bcrypt with HMAC-SHA256 for API key hashing
bcrypt with a fixed salt is deterministic but defeats the purpose of
bcrypt salting. API keys are high-entropy UUIDs (128 bits), making
brute-force resistance unnecessary — HMAC-SHA256 with the app secret
is the correct primitive for deterministic, secure key hashing.

Also fixes application.author.id → application.authorId in the API key
auth path, which was silently setting req.payload.id to undefined.
2026-04-26 20:31:06 +02:00

21 lines
857 B
JavaScript

var secret = require('.').secret;
const crypto = require('crypto');
const passport = require('passport');
var HeaderAPIKeyStrategy = require('passport-headerapikey').HeaderAPIKeyStrategy;
const DB = require('../database/mysql');
passport.use('headerapikey', new HeaderAPIKeyStrategy(
{ header: 'Authorization', prefix: `${process.env.AUTHORIZATION_PREFIX} ` },
false,
function (apikey, done) {
const encryptedKey = crypto.createHmac('sha256', secret).update(apikey).digest('hex');
DB.Application.findOne({ where: { apikey: encryptedKey } })
.then(function (application) {
if (!application) {
return done({ message: "Application can't be found.", status: 404 }, false, false);
}
return done(null, application);
}).catch(done);
}
));