use argon2id

11 months ago · c42f3ecdc5
6 changed files with 45 additions and 33 deletions
--- a/src/package.json
+++ b/src/package.json
@ -25,8 +25,8 @@
    "@pinia/nuxt": "^0.5.4",
    "@tailwindcss/forms": "^0.5.8",
    "apexcharts": "^3.53.0",
+    "argon2": "^0.41.1",
    "basic-auth": "^2.0.1",
-    "bcryptjs": "^2.4.3",
    "cidr-tools": "^11.0.2",
    "crc-32": "^1.2.2",
    "debug": "^4.3.6",
@ -45,7 +45,6 @@
  },
  "devDependencies": {
    "@nuxt/eslint-config": "^0.5.5",
-    "@types/bcryptjs": "^2.4.6",
    "@types/debug": "^4.1.12",
    "@types/qrcode": "^1.5.5",
    "eslint": "^9.9.1",
--- a/src/pnpm-lock.yaml
+++ b/src/pnpm-lock.yaml
@ -26,12 +26,12 @@ importers:
      apexcharts:
        specifier: ^3.53.0
        version: 3.53.0
+      argon2:
+        specifier: ^0.41.1
+        version: 0.41.1
      basic-auth:
        specifier: ^2.0.1
        version: 2.0.1
-      bcryptjs:
-        specifier: ^2.4.3
-        version: 2.4.3
      cidr-tools:
        specifier: ^11.0.2
        version: 11.0.2
@ -81,9 +81,6 @@ importers:
      '@nuxt/eslint-config':
        specifier: ^0.5.5
        version: 0.5.5(eslint@9.9.1(jiti@1.21.6))(typescript@5.5.4)
-      '@types/bcryptjs':
-        specifier: ^2.4.6
-        version: 2.4.6
      '@types/debug':
        specifier: ^4.1.12
        version: 4.1.12
@ -1013,6 +1010,10 @@ packages:
    resolution: {integrity: sha512-HNjmfLQEVRZmHRET336f20H/8kOozUGwk7yajvsonjNxbj2wBTK1WsQuHkD5yYh9RxFGL2EyDHryOihOwUoKDA==}
    engines: {node: '>= 10.0.0'}

+  '@phc/format@1.0.0':
+    resolution: {integrity: sha512-m7X9U6BG2+J+R1lSOdCiITLLrxm+cWlNI3HUFA92oLO77ObGNzaKdh8pMLqdZcshtkKuV84olNNXDfMc4FezBQ==}
+    engines: {node: '>=10'}
+
  '@pinia/nuxt@0.5.4':
    resolution: {integrity: sha512-nNEs2pq6+Ji5qIyRwmeD9LUdctL8aJ8QMVLTYxUc16cXEOcIIN+MSA8Xudsd0lVETYgEAROT5HiBHnOYRDY3yQ==}

@ -1211,9 +1212,6 @@ packages:
    resolution: {integrity: sha512-L7z9BgrNEcYyUYtF+HaEfiS5ebkh9jXqbszz7pC0hRBPaatV0XjSD3+eHrpqFemQfgwiFF0QPIarnIihIDn7OA==}
    engines: {node: '>=10.13.0'}

-  '@types/bcryptjs@2.4.6':
-    resolution: {integrity: sha512-9xlo6R2qDs5uixm0bcIqCeMCE6HiQsIyel9KQySStiyqNl2tnj2mP3DX1Nf56MD6KMenNNlBBsy3LJ7gUEQPXQ==}
-
  '@types/debug@4.1.12':
    resolution: {integrity: sha512-vIChWdVG3LG1SMxEvI/AK+FWJthlrqlTu7fbrlywTkkaONwk/UAGaULXRlf8vkzFBLVm0zkMdCquhL5aOjhXPQ==}

@ -1520,6 +1518,10 @@ packages:
  arg@5.0.2:
    resolution: {integrity: sha512-PYjyFOLKQ9y57JvQ6QLo8dAgNqswh8M1RMJYdQduT6xbWSgK36P/Z/v+p888pM69jMMfS8Xd8F6I1kQ/I9HUGg==}

+  argon2@0.41.1:
+    resolution: {integrity: sha512-dqCW8kJXke8Ik+McUcMDltrbuAWETPyU6iq+4AhxqKphWi7pChB/Zgd/Tp/o8xRLbg8ksMj46F/vph9wnxpTzQ==}
+    engines: {node: '>=16.17.0'}
+
  argparse@2.0.1:
    resolution: {integrity: sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==}

@ -1567,9 +1569,6 @@ packages:
    resolution: {integrity: sha512-NF+epuEdnUYVlGuhaxbbq+dvJttwLnGY+YixlXlME5KpQ5W3CnXA5cVTneY3SPbPDRkcjMbifrwmFYcClgOZeg==}
    engines: {node: '>= 0.8'}

-  bcryptjs@2.4.3:
-    resolution: {integrity: sha512-V/Hy/X9Vt7f3BbPJEi8BdVFMByHi+jNXrYkW3huaybV/kQ0KJg0Y6PkEMbn+zeT+i+SiKZ/HMqJGIIt4LZDqNQ==}
-
  binary-extensions@2.3.0:
    resolution: {integrity: sha512-Ceh+7ox5qe7LJuLHoY0feh3pHuUDHAcRUeyL2VYghZwfpkNIy/+8Ocg0a3UuSoYzavmylwuLWQOf3hl0jjMMIw==}
    engines: {node: '>=8'}
@ -3034,6 +3033,10 @@ packages:
  node-addon-api@7.1.1:
    resolution: {integrity: sha512-5m3bsyrjFWE1xf7nz7YXdN4udnVtXK6/Yfgn5qnahL6bCkf2yKt4k3nuTKAtT4r3IG8JNR2ncsIMdZuAzJjHQQ==}

+  node-addon-api@8.1.0:
+    resolution: {integrity: sha512-yBY+qqWSv3dWKGODD6OGE6GnTX7Q2r+4+DfpqxHSHh8x0B4EKP9+wVGLS6U/AM1vxSNNmUEuIV5EGhYwPpfOwQ==}
+    engines: {node: ^18 || ^20 || >= 21}
+
  node-fetch-native@1.6.4:
    resolution: {integrity: sha512-IhOigYzAKHd244OC0JIMIUrjzctirCmPkaIfhDeGcEETWof5zKYUW7e7MYvChGWh/4CJeXEgsRyGzuF334rOOQ==}

@ -5487,6 +5490,8 @@ snapshots:
      '@parcel/watcher-win32-ia32': 2.4.1
      '@parcel/watcher-win32-x64': 2.4.1

+  '@phc/format@1.0.0': {}
+
  '@pinia/nuxt@0.5.4(magicast@0.3.5)(rollup@4.21.2)(typescript@5.5.4)(vue@3.4.38(typescript@5.5.4))':
    dependencies:
      '@nuxt/kit': 3.13.0(magicast@0.3.5)(rollup@4.21.2)
@ -5654,8 +5659,6 @@ snapshots:

  '@trysound/sax@0.2.0': {}

-  '@types/bcryptjs@2.4.6': {}
-
  '@types/debug@4.1.12':
    dependencies:
      '@types/ms': 0.7.34
@ -6085,6 +6088,12 @@ snapshots:

  arg@5.0.2: {}

+  argon2@0.41.1:
+    dependencies:
+      '@phc/format': 1.0.0
+      node-addon-api: 8.1.0
+      node-gyp-build: 4.8.2
+
  argparse@2.0.1: {}

  ast-kit@1.1.0:
@ -6130,8 +6139,6 @@ snapshots:
    dependencies:
      safe-buffer: 5.1.2

-  bcryptjs@2.4.3: {}
-
  binary-extensions@2.3.0: {}

  bindings@1.5.0:
@ -7732,6 +7739,8 @@ snapshots:

  node-addon-api@7.1.1: {}

+  node-addon-api@8.1.0: {}
+
  node-fetch-native@1.6.4: {}

  node-fetch@2.7.0:
--- a/src/server/api/session.post.ts
+++ b/src/server/api/session.post.ts
@ -15,7 +15,8 @@ export default defineEventHandler(async (event) => {
    });

  const userHashPassword = user.password;
-  if (!isPasswordValid(password, userHashPassword)) {
+  const passwordValid = await isPasswordValid(password, userHashPassword);
+  if (!passwordValid) {
    throw createError({
      statusCode: 401,
      statusMessage: 'Incorrect credentials',
--- a/src/server/middleware/session.ts
+++ b/src/server/middleware/session.ts
@ -33,7 +33,11 @@ export default defineEventHandler(async (event) => {
      });

    const userHashPassword = user.password;
-    if (isPasswordValid(authorization, userHashPassword)) {
+    const passwordValid = await isPasswordValid(
+      authorization,
+      userHashPassword
+    );
+    if (passwordValid) {
      return;
    }
    throw createError({
--- a/src/server/utils/password.ts
+++ b/src/server/utils/password.ts
@ -1,21 +1,18 @@
-import bcrypt from 'bcryptjs';
+import argon2 from 'argon2';

 /**
- * Checks if `password` matches the user password.
- *
- * @param {string} password string to test
- * @returns {boolean} `true` if matching user password, otherwise `false`
+ * Checks if `password` matches the hash.
 */
-export function isPasswordValid(password: string, hash: string): boolean {
-  return bcrypt.compareSync(password, hash);
+export function isPasswordValid(
+  password: string,
+  hash: string
+): Promise<boolean> {
+  return argon2.verify(hash, password);
 }

 /**
 * Hashes a password.
- *
- * @param {string} password - The plaintext password to hash
- * @returns {string} The hash of the password
 */
-export function hashPassword(password: string): string {
-  return bcrypt.hashSync(password, 12);
+export async function hashPassword(password: string): Promise<string> {
+  return argon2.hash(password);
 }
--- a/src/services/database/lowdb.ts
+++ b/src/services/database/lowdb.ts
@ -91,9 +91,11 @@ export default class LowDB extends DatabaseProvider {
    const now = new Date().toISOString();
    const isUserEmpty = this.#db.data.users.length === 0;

+    const hash = await hashPassword(password);
+
    const newUser: User = {
      id: crypto.randomUUID(),
-      password: hashPassword(password),
+      password: hash,
      username,
      name: 'Administrator',
      role: isUserEmpty ? 'ADMIN' : 'CLIENT',