♻️ Hash passwords, ensure uncompromised

staart · Oct 24, 2020 · b7cf9f3 · b7cf9f3
1 parent 183b674
commit b7cf9f3
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 1 deletion.
diff --git a/src/config/configuration.ts b/src/config/configuration.ts
@@ -4,6 +4,7 @@ export default () => ({
     saltRounds: process.env.SALT_ROUNDS ?? 10,
     jwtSecret: process.env.JWT_SECRET ?? 'staart',
     accessTokenExpiry: process.env.ACCESS_TOKEN_EXPIRY ?? '1h',
+    passwordPwnedCheck: !!process.env.PASSWORD_PWNED_CHECK,
   },
   email: {
     name: process.env.EMAIL_NAME ?? 'Staart',

diff --git a/src/modules/auth/auth.dto.ts b/src/modules/auth/auth.dto.ts
@@ -73,6 +73,10 @@ export class RegisterDto {
   @IsObject()
   @IsOptional()
   attributes?: Record<string, any>;
+
+  @IsBoolean()
+  @IsOptional()
+  ignorePwnedPassword?: boolean;
 }
 
 export class ResendEmailVerificationDto {

diff --git a/src/modules/auth/auth.service.ts b/src/modules/auth/auth.service.ts
@@ -12,10 +12,11 @@ import { Expose } from '../prisma/prisma.interface';
 import { PrismaService } from '../prisma/prisma.service';
 import { UsersService } from '../user/user.service';
 import { RegisterDto } from './auth.dto';
-import { compare } from 'bcrypt';
+import { compare, hash } from 'bcrypt';
 import { JwtService } from '@nestjs/jwt';
 import { randomStringGenerator } from '@nestjs/common/utils/random-string-generator.util';
 import { AccessTokenClaims } from './auth.interface';
+import { PwnedService } from '../pwned/pwned.service';
 
 @Injectable()
 export class AuthService {
@@ -25,6 +26,7 @@ export class AuthService {
     private email: EmailService,
     private configService: ConfigService,
     private jwtService: JwtService,
+    private pwnedService: PwnedService,
   ) {}
 
   async validateUser(email: string, password?: string): Promise<number> {
@@ -66,7 +68,17 @@ export class AuthService {
   async register(data: RegisterDto): Promise<Expose<users>> {
     const email = data.email;
     const emailSafe = this.users.getSafeEmail(email);
+    const ignorePwnedPassword = !!data.ignorePwnedPassword;
     delete data.email;
+    delete data.ignorePwnedPassword;
+
+    if (data.password) {
+      if (!ignorePwnedPassword) await this.ensureSafePassword(data.password);
+      data.password = await hash(
+        data.password,
+        this.configService.get<number>('security.saltRounds'),
+      );
+    }
 
     const users = await this.users.users({
       take: 1,
@@ -150,6 +162,16 @@ export class AuthService {
     });
   }
 
+  async ensureSafePassword(password: string): Promise<void> {
+    if (!this.configService.get<boolean>('security.passwordPwnedCheck')) return;
+    const isSafe = this.pwnedService.isPasswordSafe(password);
+    if (!isSafe)
+      throw new HttpException(
+        'This password has been compromised in a data breach.',
+        HttpStatus.BAD_REQUEST,
+      );
+  }
+
   async getScopes(userId: number): Promise<string[]> {
     const scopes: string[] = [`user-${userId}:*`];
     const memberships = await this.prisma.memberships.findMany({