From cbc9b01d475027b1fb21897757ce430bf44a9a53 Mon Sep 17 00:00:00 2001 From: Ivan Gabaldon Date: Wed, 31 Jul 2024 13:05:56 +0200 Subject: [PATCH 1/7] Initial update --- .env.example | 4 ++++ src/document/crypto.ts | 3 ++- src/server.ts | 7 +++++++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/.env.example b/.env.example index 27b7622..c98278a 100644 --- a/.env.example +++ b/.env.example @@ -13,6 +13,10 @@ # Is website served over HTTPS? [true]:boolean #TLS=true +# Salt for hashing passwords []:string +# (Generate a unique secure salt: echo $(openssl rand -base64 32)) +#SALT= + ## DOCUMENTATION: # Enable documentation? [false]:boolean #DOCS_ENABLED=false diff --git a/src/document/crypto.ts b/src/document/crypto.ts index 6d77bb4..f0603fc 100644 --- a/src/document/crypto.ts +++ b/src/document/crypto.ts @@ -1,4 +1,5 @@ import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto'; +import { env } from '../server.ts'; const cipherAlgorithm = 'aes-256-gcm'; const hashAlgorithm = 'blake2b256'; @@ -26,7 +27,7 @@ export const crypto = { }, hash: (password: string, encoding: 'base64' | 'binary' = 'base64'): string | Uint8Array => { - const hasher = new Bun.CryptoHasher(hashAlgorithm).update(password); + const hasher = new Bun.CryptoHasher(hashAlgorithm).update(password + env.salt); switch (encoding) { case 'base64': { diff --git a/src/server.ts b/src/server.ts index d835f2f..4f395d0 100644 --- a/src/server.ts +++ b/src/server.ts @@ -12,6 +12,7 @@ export const env = { port: envvar('PORT').default(4000).asPortNumber(), logLevel: envvar('LOGLEVEL').default(2).asIntPositive(), tls: envvar('TLS').asBoolStrict() ?? true, + salt: envvar('SALT').asString(), documentMaxSize: envvar('DOCUMENT_MAXSIZE').default(1024).asIntPositive(), docsEnabled: envvar('DOCS_ENABLED').asBoolStrict() ?? false, docsPath: envvar('DOCS_PATH').default('/docs').asString() @@ -31,6 +32,12 @@ const instance = new OpenAPIHono().basePath(config.apiPath); export const server = (): typeof instance => { logger.set(env.logLevel); + // Check env + if (!env.salt) { + logger.warn('“SALT” variable unspecified, disabling...'); + logger.warn('In the future you will be required to specify this option in your .env.'); + } + instance.use('*', cors()); instance.onError((err) => { From 906426439f81ccaed9e79ae9c1ed3d1cd9754658 Mon Sep 17 00:00:00 2001 From: Ivan Gabaldon Date: Wed, 31 Jul 2024 18:27:43 +0200 Subject: [PATCH 2/7] force specify SALT usage --- .env.example | 2 +- src/server.ts | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.env.example b/.env.example index c98278a..d13650c 100644 --- a/.env.example +++ b/.env.example @@ -1,6 +1,6 @@ ## SERVER: # Set log verbosity [2]:integer -# 0=error <- 1=warn <- 2=info <- 3=debug +# (0=error <- 1=warn <- 2=info <- 3=debug) #LOGLEVEL=2 # Port for the server [4000]:integer diff --git a/src/server.ts b/src/server.ts index 4f395d0..e219b88 100644 --- a/src/server.ts +++ b/src/server.ts @@ -34,8 +34,10 @@ export const server = (): typeof instance => { // Check env if (!env.salt) { - logger.warn('“SALT” variable unspecified, disabling...'); - logger.warn('In the future you will be required to specify this option in your .env.'); + logger.error('"SALT" value not specified, can\'t continue...'); + logger.warn('Update your "SALT" environment value, see more at:'); + logger.warn('https://github.com/jspaste/backend/raw/stable/.env.example'); + process.exit(1); } instance.use('*', cors()); From 20d0e1309caafd3897a55a36fc1e6a0d1103be28 Mon Sep 17 00:00:00 2001 From: Mrgaton Date: Thu, 1 Aug 2024 11:23:25 +0200 Subject: [PATCH 3/7] update crypto.ts --- src/document/crypto.ts | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/src/document/crypto.ts b/src/document/crypto.ts index f0603fc..87cefd8 100644 --- a/src/document/crypto.ts +++ b/src/document/crypto.ts @@ -1,9 +1,11 @@ import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto'; +import { hash } from 'bun'; import { env } from '../server.ts'; const cipherAlgorithm = 'aes-256-gcm'; const hashAlgorithm = 'blake2b256'; const ivLength = 12; +const saltLength = 24; export const crypto = { encrypt: (data: Uint8Array, password: string): Uint8Array => { @@ -27,19 +29,29 @@ export const crypto = { }, hash: (password: string, encoding: 'base64' | 'binary' = 'base64'): string | Uint8Array => { - const hasher = new Bun.CryptoHasher(hashAlgorithm).update(password + env.salt); + const salt = randomBytes(saltLength); + + return crypto.hash_salted(password, salt, encoding); + }, + + hash_salted: (password: string, salt: Buffer, encoding: 'base64' | 'binary' = 'base64'): string | Uint8Array => { + const hasher = new Bun.CryptoHasher(hashAlgorithm).update(Buffer.concat([Buffer.from(password), salt])); + + const hash = Buffer.concat([salt, hasher.digest()]); switch (encoding) { case 'base64': { - return hasher.digest('base64'); + return hash.toString('base64'); } default: { - return hasher.digest() as Uint8Array; + return hash as Uint8Array; } } }, compare: (password: string, hash: string, encoding: 'base64' | 'binary' = 'base64'): boolean => { - return crypto.hash(password, encoding) === hash; + const salt = Buffer.from(hash, 'base64').slice(0, saltLength); + + return crypto.hash_salted(password, salt, encoding) === hash; } } as const; From 2680b2e9c81caff8dba352a504165883b3c2b97e Mon Sep 17 00:00:00 2001 From: Mrgaton Date: Thu, 1 Aug 2024 11:27:33 +0200 Subject: [PATCH 4/7] perdon --- src/document/crypto.ts | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/document/crypto.ts b/src/document/crypto.ts index 87cefd8..135dc39 100644 --- a/src/document/crypto.ts +++ b/src/document/crypto.ts @@ -1,6 +1,4 @@ import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto'; -import { hash } from 'bun'; -import { env } from '../server.ts'; const cipherAlgorithm = 'aes-256-gcm'; const hashAlgorithm = 'blake2b256'; From d93907f23fa568ce0667d1e86bade4c14e79fdfa Mon Sep 17 00:00:00 2001 From: Mrgaton Date: Thu, 1 Aug 2024 22:32:10 +0200 Subject: [PATCH 5/7] update 38 files From 5c50af6a217b22d48b00688b3ee85da4e5ccdb0f Mon Sep 17 00:00:00 2001 From: Mrgaton Date: Fri, 2 Aug 2024 11:58:05 +0200 Subject: [PATCH 6/7] update .env.example, crypto.ts and server.ts --- .env.example | 6 +++--- src/document/crypto.ts | 5 ++++- src/server.ts | 8 ++++---- 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/.env.example b/.env.example index d13650c..d807e0d 100644 --- a/.env.example +++ b/.env.example @@ -13,9 +13,9 @@ # Is website served over HTTPS? [true]:boolean #TLS=true -# Salt for hashing passwords []:string -# (Generate a unique secure salt: echo $(openssl rand -base64 32)) -#SALT= +# Secret for hashing passwords []:string +# (Generate a unique secure secret: echo $(openssl rand -base64 32)) +#HASH_SECRET= ## DOCUMENTATION: # Enable documentation? [false]:boolean diff --git a/src/document/crypto.ts b/src/document/crypto.ts index 135dc39..d8ed7b2 100644 --- a/src/document/crypto.ts +++ b/src/document/crypto.ts @@ -1,4 +1,5 @@ import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto'; +import { env } from '../server.ts'; const cipherAlgorithm = 'aes-256-gcm'; const hashAlgorithm = 'blake2b256'; @@ -33,7 +34,9 @@ export const crypto = { }, hash_salted: (password: string, salt: Buffer, encoding: 'base64' | 'binary' = 'base64'): string | Uint8Array => { - const hasher = new Bun.CryptoHasher(hashAlgorithm).update(Buffer.concat([Buffer.from(password), salt])); + const hasher = new Bun.CryptoHasher(hashAlgorithm).update( + Buffer.concat([Buffer.from(env.hashSecret), Buffer.from(password), salt]) + ); const hash = Buffer.concat([salt, hasher.digest()]); diff --git a/src/server.ts b/src/server.ts index e219b88..1f6ac81 100644 --- a/src/server.ts +++ b/src/server.ts @@ -12,7 +12,7 @@ export const env = { port: envvar('PORT').default(4000).asPortNumber(), logLevel: envvar('LOGLEVEL').default(2).asIntPositive(), tls: envvar('TLS').asBoolStrict() ?? true, - salt: envvar('SALT').asString(), + hashSecret: envvar('HASH_SECRET').asString(), documentMaxSize: envvar('DOCUMENT_MAXSIZE').default(1024).asIntPositive(), docsEnabled: envvar('DOCS_ENABLED').asBoolStrict() ?? false, docsPath: envvar('DOCS_PATH').default('/docs').asString() @@ -33,9 +33,9 @@ export const server = (): typeof instance => { logger.set(env.logLevel); // Check env - if (!env.salt) { - logger.error('"SALT" value not specified, can\'t continue...'); - logger.warn('Update your "SALT" environment value, see more at:'); + if (!env.hashSecret) { + logger.error('"HASH_SECRET" value not specified, can\'t continue...'); + logger.warn('Update your "HASH_SECRET" environment value, see more at:'); logger.warn('https://github.com/jspaste/backend/raw/stable/.env.example'); process.exit(1); } From fc1094e3eece819fc566c060d0319c50a3101b95 Mon Sep 17 00:00:00 2001 From: Mrgaton Date: Fri, 2 Aug 2024 12:23:42 +0200 Subject: [PATCH 7/7] update crypto.ts --- bun.lockb | Bin 386112 -> 386128 bytes src/document/crypto.ts | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/bun.lockb b/bun.lockb index d8d980ce9d6e0302510fb537c4c0e7726f39b4a7..a3aed37cd60a9be0b42f1ecdd9b31fd6013caf5e 100755 GIT binary patch delta 453 zcmX?bLj1xB@d{4W~~8{QBn6r2&*N(la#BGhon%%B1qPPdjcHp~u8nXP{?j zs%OaH0F;pe>NzxJ;!dNI7x`crpoEc$LveYsesWIcG%o`!x0w2HL$H(y&@_f9pe9bB zrq-Af35`BnuYfWjCjcFn43yyl%A8`;-0N-7_ysIusAmS0Ny;zMtzcj{E9tVarwl7@3deliLFFz$!p&-AwBr~tLBrzvPFRK`28wivH jl?Io%x}@xQ%nIfom|p*wRgGiOoSYS)D4DMKkZA${CXk0( delta 442 zcmca`Lj1r9@dsL6<38-Lk|Yh9^c<(c { const hasher = new Bun.CryptoHasher(hashAlgorithm).update( - Buffer.concat([Buffer.from(env.hashSecret), Buffer.from(password), salt]) + Buffer.concat([Buffer.from(env.hashSecret as string), Buffer.from(password), salt]) ); const hash = Buffer.concat([salt, hasher.digest()]);