Generate a unique salt for each token

Reusing the password salt is bad practice, and changing the password changes the salt as well which makes all tokens invalid. Put the salt in the same field as the hash (concatenated with a separator) to avoid modifying the JSON DB schema. Signed-off-by: Yannick Schaus <github@schaus.net>
openhab · Oct 19, 2020 · 8c3c0a5 · 8c3c0a5
1 parent 35e8d12
commit 8c3c0a5
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/bundles/org.openhab.core/src/main/java/org/openhab/core/internal/auth/UserRegistryImpl.java b/bundles/org.openhab.core/src/main/java/org/openhab/core/internal/auth/UserRegistryImpl.java
@@ -151,8 +151,8 @@ public Authentication authenticate(Credentials credentials) throws Authenticatio
             UserApiTokenCredentials userApiTokenCreds = (UserApiTokenCredentials) credentials;
             for (User user : getAll()) {
                 ManagedUser managedUser = (ManagedUser) user;
-                String tokenHash = hash(userApiTokenCreds.getApiToken(), managedUser.getPasswordSalt(),
-                        APITOKEN_ITERATIONS).get();
+                String[] tokenHashAndSalt = userApiTokenCreds.getApiToken().split(":");
+                String tokenHash = hash(tokenHashAndSalt[0], tokenHashAndSalt[1], APITOKEN_ITERATIONS).get();
 
                 if (managedUser.getApiTokens().stream()
                         .anyMatch(userApiToken -> tokenHash.equals(userApiToken.getApiToken()))) {
@@ -224,13 +224,13 @@ public String addUserApiToken(User user, String name, String scope) {
         }
 
         ManagedUser managedUser = (ManagedUser) user;
-        String salt = managedUser.getPasswordSalt();
+        String tokenSalt = generateSalt(KEY_LENGTH / 8).get();
         byte[] rnd = new byte[64];
         RAND.nextBytes(rnd);
         String token = "oh." + name + "." + Base64.getEncoder().encodeToString(rnd).replaceAll("(\\+|/|=)", "");
-        String tokenHash = hash(token, salt, APITOKEN_ITERATIONS).get();
+        String tokenHash = hash(token, tokenSalt, APITOKEN_ITERATIONS).get();
 
-        UserApiToken userApiToken = new UserApiToken(name, tokenHash, scope);
+        UserApiToken userApiToken = new UserApiToken(name, tokenHash + ":" + tokenSalt, scope);
 
         managedUser.getApiTokens().add(userApiToken);
         this.update(user);