Clean up injection
This commit is contained in:
parent
8fc025140b
commit
adc50cc7a6
|
@ -89,9 +89,10 @@ final class Env(
|
|||
rankingApi = rankingApi
|
||||
)
|
||||
|
||||
lazy val passwordHasher = new TimedPasswordHasher(
|
||||
lazy val passwordHasher = new PasswordHasher(
|
||||
secret = PasswordBPassSecret,
|
||||
logRounds = 10
|
||||
logRounds = 10,
|
||||
lila.mon.measure(_.user.auth.hashTime)
|
||||
)
|
||||
|
||||
lazy val upgradeShaPasswords = PasswordUpgradeSha
|
||||
|
|
|
@ -30,12 +30,13 @@ private[user] class DumbAes(secret: String) {
|
|||
def decrypt(data: Array[Byte]) = process(DECRYPT_MODE, data)
|
||||
}
|
||||
|
||||
sealed class PasswordHasher(secret: String, logRounds: Int) {
|
||||
sealed class PasswordHasher(secret: String, logRounds: Int,
|
||||
hashTimer: (=> Array[Byte]) => Array[Byte] = x => x) {
|
||||
import org.mindrot.BCrypt
|
||||
|
||||
private val aes = new DumbAes(secret)
|
||||
protected def bHash(pass: String, salt: Array[Byte]) =
|
||||
BCrypt.hashpwRaw(pass, 'a', logRounds, salt)
|
||||
hashTimer(BCrypt.hashpwRaw(pass, 'a', logRounds, salt))
|
||||
|
||||
def hash(pass: String) = {
|
||||
val salt = BCrypt.gensaltRaw
|
||||
|
@ -46,12 +47,4 @@ sealed class PasswordHasher(secret: String, logRounds: Int) {
|
|||
val (salt, hash) = aes.decrypt(encHash).splitAt(16)
|
||||
BCrypt.bytesEqualSecure(hash, bHash(pass, salt))
|
||||
}
|
||||
}
|
||||
|
||||
class TimedPasswordHasher(secret: String, logRounds: Int)
|
||||
extends PasswordHasher(secret, logRounds) {
|
||||
protected override def bHash(pass: String, salt: Array[Byte]) =
|
||||
lila.mon.measure(_.user.auth.hashTime) {
|
||||
super.bHash(pass, salt)
|
||||
}
|
||||
}
|
|
@ -258,8 +258,7 @@ object User {
|
|||
}
|
||||
}
|
||||
|
||||
class Authenticator(passHasher: PasswordHasher,
|
||||
authMon: Option[lila.mon.user.auth.type] = Some(lila.mon.user.auth)) {
|
||||
class Authenticator(passHasher: PasswordHasher, onShaLogin: => Unit) {
|
||||
import com.roundeights.hasher.Implicits._
|
||||
|
||||
private def salted(p: String, salt: String) = s"$p{$salt}"
|
||||
|
@ -283,7 +282,7 @@ class Authenticator(passHasher: PasswordHasher,
|
|||
|
||||
bpass match {
|
||||
// Deprecated fallback. Log & fail after DB migration.
|
||||
case None => password ?? { authMon.foreach { _.shaLogin() }; _ == newP }
|
||||
case None => password ?? { onShaLogin; _ == newP }
|
||||
case Some(bHash) => passHasher.check(bHash, salted(newP, _id))
|
||||
}
|
||||
}
|
||||
|
|
|
@ -230,7 +230,10 @@ object UserRepo {
|
|||
def authenticateByEmail(email: EmailAddress, password: String): Fu[Option[User]] =
|
||||
loginCandidateByEmail(email) map { _ flatMap { _(password) } }
|
||||
|
||||
private val authWrapper = new Authenticator(Env.current.passwordHasher)
|
||||
private val authWrapper = new Authenticator(
|
||||
Env.current.passwordHasher, lila.mon.user.auth.shaLogin()
|
||||
)
|
||||
|
||||
import authWrapper.{ passEnc, AuthData }
|
||||
|
||||
// This creates a bcrypt hash using the existing sha as input,
|
||||
|
|
|
@ -6,7 +6,7 @@ import java.util.Base64
|
|||
class AuthTest extends Specification {
|
||||
|
||||
val secret = Array.fill(32)(1.toByte).toBase64
|
||||
val authWrapper = new Authenticator(new PasswordHasher(secret, 2), None)
|
||||
val authWrapper = new Authenticator(new PasswordHasher(secret, 2), ())
|
||||
import authWrapper.{ passEnc, AuthData }
|
||||
|
||||
// Extracted from mongo
|
||||
|
@ -43,7 +43,7 @@ class AuthTest extends Specification {
|
|||
// sanity check of aes encryption
|
||||
"wrong secret" >> !{
|
||||
val badHasher = new PasswordHasher((new Array[Byte](32)).toBase64, 2)
|
||||
new Authenticator(badHasher, None).AuthData(
|
||||
new Authenticator(badHasher, ()).AuthData(
|
||||
_id = "foo",
|
||||
bpass = bCryptUser.bpass
|
||||
).compare("password")
|
||||
|
|
Loading…
Reference in a new issue