Make bcrypt rounds configurable

History.md

@@ -1,5 +1,9 @@
 ## v.NEXT
 
+* `Accounts.config` now supports a `bcryptRounds` option that
+  overrides the default 10 rounds currently used to secure passwords.
+  [PR #9044](https://github.com/meteor/meteor/pull/9044)
+
 * Enables passing `false` to `cursor.count()` on the client to prevent skip
   and limit from having an effect on the result.
   [Issue #1201](https://github.com/meteor/meteor/issues/1201)

packages/accounts-base/accounts_common.js

@@ -89,6 +89,9 @@ export class AccountsCommon {
   // - ambiguousErrorMessages {Boolean}
   //     Return ambiguous error messages from login failures to prevent
   //     user enumeration.
+  // - bcryptRounds {Number}
+  //     Allows override of number of bcrypt rounds (aka work factor) used
+  //     to store passwords.
 
   /**
    * @summary Set global accounts options.
@@ -135,7 +138,7 @@ export class AccountsCommon {
     // validate option keys
     var VALID_KEYS = ["sendVerificationEmail", "forbidClientAccountCreation", "passwordEnrollTokenExpirationInDays",
                       "restrictCreationByEmailDomain", "loginExpirationInDays", "passwordResetTokenExpirationInDays",
-                      "ambiguousErrorMessages"];
+                      "ambiguousErrorMessages", "bcryptRounds"];
     _.each(_.keys(options), function (key) {
       if (!_.contains(VALID_KEYS, key)) {
         throw new Error("Accounts.config: Invalid key: " + key);

packages/accounts-base/package.js

@@ -1,6 +1,6 @@
 Package.describe({
   summary: "A user account system",
-  version: "1.3.4"
+  version: "1.3.6"
 });
 
 Package.onUse(function (api) {

packages/accounts-password/package.js

@@ -4,7 +4,7 @@ Package.describe({
   // release process, so versions 2.0.0-beta.2 through -beta.5 and -rc.0
   // have already been published. The next time this package reaches 2.x
   // territory, I would recommend jumping straight to 2.1.0.
-  version: "1.4.1"
+  version: "1.4.2"
 });
 
 Package.onUse(function(api) {

packages/accounts-password/password_server.js

@@ -22,7 +22,7 @@ var bcryptCompare = Meteor.wrapAsync(bcrypt.compare);
 // "sha-256" and then passes the digest to bcrypt.
 
 
-Accounts._bcryptRounds = 10;
+Accounts._bcryptRounds = Accounts._options.bcryptRounds || 10;
 
 // Given a 'password' from the client, extract the string that we should
 // bcrypt. 'password' can be one of:
@@ -52,6 +52,18 @@ var hashPassword = function (password) {
   return bcryptHash(password, Accounts._bcryptRounds);
 };
 
+// Extract the number of rounds used in the specified bcrypt hash.
+const getRoundsFromBcryptHash = hash => {
+  let rounds;
+  if (hash) {
+    const hashSegments = hash.split('$');
+    if (hashSegments.length > 2) {
+      rounds = parseInt(hashSegments[2], 10);
+    }
+  }
+  return rounds;
+};
+
 // Check whether the provided password matches the bcrypt'ed password in
 // the database user record. `password` can be a string (in which case
 // it will be run through SHA256 before bcrypt) or an object with
@@ -63,10 +75,22 @@ Accounts._checkPassword = function (user, password) {
     userId: user._id
   };
 
-  password = getPasswordString(password);
+  const formattedPassword = getPasswordString(password);
+  const hash = user.services.password.bcrypt;
+  const hashRounds = getRoundsFromBcryptHash(hash);
 
-  if (! bcryptCompare(password, user.services.password.bcrypt)) {
+  if (! bcryptCompare(formattedPassword, hash)) {
     result.error = handleError("Incorrect password", false);
+  } else if (hash && Accounts._bcryptRounds != hashRounds) {
+    // The password checks out, but the user's bcrypt hash needs to be updated.
+    Meteor.defer(() => {
+      Meteor.users.update({ _id: user._id }, {
+        $set: {
+          'services.password.bcrypt':
+            bcryptHash(formattedPassword, Accounts._bcryptRounds)
+        }
+      });
+    });
   }
 
   return result;
@@ -78,7 +102,7 @@ var checkPassword = Accounts._checkPassword;
 ///
 const handleError = (msg, throwError = true) => {
   const error = new Meteor.Error(
-    403, 
+    403,
     Accounts._options.ambiguousErrorMessages
       ? "Something went wrong. Please check your credentials."
       : msg

packages/accounts-password/password_tests.js

@@ -1886,4 +1886,51 @@ if (Meteor.isServer) (function () {
     ]);
   });
 
+  Tinytest.addAsync(
+    'passwords - allow custom bcrypt rounds',
+    function (test, done) {
+      function getUserHashRounds(user) {
+        return Number(user.services.password.bcrypt.substring(4, 6));
+      }
+
+      // Verify that a bcrypt hash generated for a new account uses the
+      // default number of rounds.
+      let username = Random.id();
+      const password = 'abc123';
+      const userId1 = Accounts.createUser({ username, password });
+      let user1 = Meteor.users.findOne(userId1);
+      let rounds = getUserHashRounds(user1);
+      test.equal(rounds, Accounts._bcryptRounds);
+
+      // When a custom number of bcrypt rounds is set via Accounts.config,
+      // and an account was already created using the default number of rounds,
+      // make sure that a new hash is created (and stored) using the new number
+      // of rounds, the next time the password is checked.
+      const defaultRounds = Accounts._bcryptRounds;
+      const customRounds = 11;
+      Accounts._bcryptRounds = customRounds;
+      Accounts._checkPassword(user1, password);
+      Meteor.setTimeout(() => {
+        user1 = Meteor.users.findOne(userId1);
+        rounds = getUserHashRounds(user1);
+        test.equal(rounds, customRounds);
+        Accounts._options.bcryptRounds = null;
+
+        // When a custom number of bcrypt rounds is set, make sure it's
+        // used for new bcrypt password hashes.
+        username = Random.id();
+        const userId2 = Accounts.createUser({ username, password });
+        const user2 = Meteor.users.findOne(userId2);
+        rounds = getUserHashRounds(user2);
+        test.equal(rounds, customRounds);
+
+        // Cleanup
+        Accounts._bcryptRounds = defaultRounds;
+        Meteor.users.remove(userId1);
+        Meteor.users.remove(userId2);
+        done();
+      }, 5000);
+    }
+  );
+
 }) ();