Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: allow passwords with length > 73 characters (#8818)
* feat: allow passwords longer than 73 characters Context: A bcrypt/blowfish limitation means that password length is capped at 72 characters. We can get around this without compromising on security by hashing all incoming passwords with SHA512, and then sending that to bcrypt. https://dropbox.tech/security/how-dropbox-securely-stores-your-passwords * feat: add additional test for passwords > 73 chars * fix: remove 'password-too-long' error message and all invocations * test: added test to show that a super long password won't bring down NodeBB * fix: remove debug log * Revert "fix: remove 'password-too-long' error message and all invocations" This reverts commit 1e312bf. * fix: added back password length checks, but at 512 chars As processing a large string still uses a lot of memory
- Loading branch information
Showing
8 changed files
with
73 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
'use strict'; | ||
|
||
const assert = require('assert'); | ||
const bcrypt = require('bcryptjs'); | ||
|
||
const password = require('../src/password'); | ||
|
||
describe('Password', () => { | ||
describe('.hash()', () => { | ||
it('should return a password hash when called', async () => { | ||
const hash = await password.hash(12, 'test'); | ||
assert(hash.startsWith('$2a$')); | ||
}); | ||
}); | ||
|
||
describe('.compare()', async () => { | ||
const salt = await bcrypt.genSalt(12); | ||
|
||
it('should correctly compare a password and a hash', async () => { | ||
const hash = await password.hash(12, 'test'); | ||
const match = await password.compare('test', hash, true); | ||
assert(match); | ||
}); | ||
|
||
it('should correctly handle comparison with no sha wrapping of the input (backwards compatibility)', async () => { | ||
const hash = await bcrypt.hash('test', salt); | ||
const match = await password.compare('test', hash, false); | ||
assert(match); | ||
}); | ||
|
||
it('should continue to function even with passwords > 73 characters', async () => { | ||
const arr = []; | ||
arr.length = 100; | ||
const hash = await password.hash(12, arr.join('a')); | ||
|
||
arr.length = 150; | ||
const match = await password.compare(arr.join('a'), hash, true); | ||
assert.strictEqual(match, false); | ||
}); | ||
|
||
it('should process a million-character long password quickly', async () => { | ||
// ... because sha512 reduces it to a constant size | ||
const arr = []; | ||
const start = Date.now(); | ||
arr.length = 1000000; | ||
await password.hash(12, arr.join('a')); | ||
const end = Date.now(); | ||
|
||
assert(end - start < 5000); | ||
}); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters