Skip to content

Make secret hashing configurable #545

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
eduardoboucas merged 1 commit into from
Apr 10, 2019
Merged

Make secret hashing configurable #545

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,11 @@ var conf = convict({
default: 'test',
env: 'DB_AUTH_NAME'
},
hashSecrets: {
doc: 'Whether to hash client secrets',
format: Boolean,
default: false
},
saltRounds: {
doc: 'The number of rounds to go through when hashing a password',
format: Number,
Expand Down
24 changes: 18 additions & 6 deletions dadi/lib/model/acl/client.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,9 +89,8 @@ Client.prototype.create = function (client, {
)
}

return this.hashSecret(client.secret)
return this.hashSecret(client.secret, client)
}).then(hashedsecret => {
client._hashVersion = HASH_VERSION
client.secret = hashedsecret

return this.model.create({
Expand Down Expand Up @@ -198,14 +197,24 @@ Client.prototype.get = function (clientId, secret) {
}

/**
* Generates a hash from a secret.
* Generates a hash from a secret. If `target` is supplied, a `_hashVersion_`
* property will be added to that object.
*
* @param {String} secret
* @param {Object} target
* @return {Promise<String>}
*/
Client.prototype.hashSecret = function (secret) {
Client.prototype.hashSecret = function (secret, target) {
if (!config.get('auth.hashSecrets')) {
return Promise.resolve(secret)
}

const saltRounds = config.get('auth.saltRounds')

if (target) {
target._hashVersion = HASH_VERSION
}

return bcrypt.hash(secret, saltRounds)
}

Expand Down Expand Up @@ -602,8 +611,7 @@ Client.prototype.update = function (clientId, update) {
// If we're trying to update the client's secret, we must hash it
// before sending it to the database.
if (typeof secret === 'string') {
return this.hashSecret(secret).then(hashedSecret => {
update._hashVersion = HASH_VERSION
return this.hashSecret(secret, update).then(hashedSecret => {
update.secret = hashedSecret

return results
Expand Down Expand Up @@ -705,6 +713,10 @@ Client.prototype.validate = function (client, {
* @return {Promise<Boolean>}
*/
Client.prototype.validateSecret = function (hash, candidate, hashVersion) {
if (!config.get('auth.hashSecrets')) {
return Promise.resolve(hash === candidate)
}

if (hashVersion !== HASH_VERSION) {
return Promise.reject(
new Error('CLIENT_NEEDS_UPGRADE')
Expand Down
112 changes: 58 additions & 54 deletions test/acceptance/acl/clients-api/post.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -524,76 +524,80 @@ module.exports = () => {
})

describe('success states (the client has "create" access to the "clients" resource)', () => {
it('should hash client secrets and salt them using the number of rounds specified in the `auth.saltRounds` config property', done => {
config.set('auth.saltRounds', 5)

const spy = sinon.spy(bcrypt, 'hash')
const testClient = {
clientId: 'apiClient',
secret: 'someSecret',
resources: {
clients: {
create: true
describe('if `auth.hashSecrets` is set to true', () => {
it('should hash client secrets and salt them using the number of rounds specified in the `auth.saltRounds` config property', done => {
config.set('auth.hashSecrets', true)
config.set('auth.saltRounds', 5)

const spy = sinon.spy(bcrypt, 'hash')
const testClient = {
clientId: 'apiClient',
secret: 'someSecret',
resources: {
clients: {
create: true
}
}
}
}
const newClient1 = {
clientId: 'newClient1',
secret: 'aNewSecret1'
}
const newClient2 = {
clientId: 'newClient2',
secret: 'aNewSecret2'
}

help.createACLClient(testClient).then(() => {
client
.post(config.get('auth.tokenUrl'))
.set('content-type', 'application/json')
.send({
clientId: testClient.clientId,
secret: testClient.secret
})
.expect(200)
.expect('content-type', 'application/json')
.end((err, res) => {
if (err) return done(err)

const {accessToken} = res.body

const newClient1 = {
clientId: 'newClient1',
secret: 'aNewSecret1'
}
const newClient2 = {
clientId: 'newClient2',
secret: 'aNewSecret2'
}

help.createACLClient(testClient).then(() => {
client
.post('/api/clients')
.send(newClient1)
.post(config.get('auth.tokenUrl'))
.set('content-type', 'application/json')
.set('Authorization', `Bearer ${accessToken}`)
.send({
clientId: testClient.clientId,
secret: testClient.secret
})
.expect(200)
.expect('content-type', 'application/json')
.end((err, res) => {
res.statusCode.should.eql(201)

spy.getCall(0).args[0].should.eql('aNewSecret1')
spy.getCall(0).args[1].should.eql(5)

config.set('auth.saltRounds', 8)

if (err) return done(err)

const {accessToken} = res.body

client
.post('/api/clients')
.send(newClient2)
.send(newClient1)
.set('content-type', 'application/json')
.set('Authorization', `Bearer ${accessToken}`)
.expect('content-type', 'application/json')
.end((err, res) => {
res.statusCode.should.eql(201)

config.set('auth.saltRounds', configBackup.auth.saltRounds)

spy.getCall(1).args[0].should.eql('aNewSecret2')
spy.getCall(1).args[1].should.eql(8)
spy.getCall(0).args[0].should.eql('aNewSecret1')
spy.getCall(0).args[1].should.eql(5)

spy.restore()
config.set('auth.saltRounds', 8)

done(err)
})
})
client
.post('/api/clients')
.send(newClient2)
.set('content-type', 'application/json')
.set('Authorization', `Bearer ${accessToken}`)
.expect('content-type', 'application/json')
.end((err, res) => {
res.statusCode.should.eql(201)

config.set('auth.hashSecrets', configBackup.auth.hashSecrets)
config.set('auth.saltRounds', configBackup.auth.saltRounds)

spy.getCall(1).args[0].should.eql('aNewSecret2')
spy.getCall(1).args[1].should.eql(8)

spy.restore()

done(err)
})
})
})
})
})
})
Expand Down
124 changes: 65 additions & 59 deletions test/acceptance/acl/clients-api/put.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -550,77 +550,83 @@ module.exports = () => {

describe('success states', () => {
describe('updating the secret', () => {
it('should hash the new secret and salt it using the number of rounds specified in the `auth.saltRounds` config property', done => {
let testClient = {
clientId: 'apiClient',
secret: 'someSecret'
}

help.createACLClient(testClient).then(() => {
client
.post(config.get('auth.tokenUrl'))
.set('content-type', 'application/json')
.send({
clientId: testClient.clientId,
secret: testClient.secret
})
.expect(200)
.expect('content-type', 'application/json')
.end((err, res) => {
if (err) return done(err)

res.body.accessToken.should.be.String

let bearerToken = res.body.accessToken

config.set('auth.saltRounds', 9)

const spy = sinon.spy(bcrypt, 'hash')
const update = {
currentSecret: 'someSecret',
secret: 'aNewSecret'
}
describe('if `auth.hashSecrets` is set to true', () => {
it('should hash the new secret and salt it using the number of rounds specified in the `auth.saltRounds` config property', done => {
config.set('auth.hashSecrets', true)

let testClient = {
clientId: 'apiClient',
secret: 'someSecret'
}

help.createACLClient(testClient).then(() => {
client
.put('/api/client')
.send(update)
.post(config.get('auth.tokenUrl'))
.set('content-type', 'application/json')
.set('Authorization', `Bearer ${bearerToken}`)
.send({
clientId: testClient.clientId,
secret: testClient.secret
})
.expect(200)
.expect('content-type', 'application/json')
.end((err, res) => {
res.statusCode.should.eql(200)

res.body.results.should.be.Array
res.body.results.length.should.eql(1)
res.body.results[0].clientId.should.eql(testClient.clientId)

spy.getCall(0).args[0].should.eql(update.secret)
spy.getCall(0).args[1].should.eql(9)
spy.restore()

config.set('auth.saltRounds', configBackup.auth.saltRounds)

should.not.exist(res.body.results[0].secret)

if (err) return done(err)
res.body.accessToken.should.be.String

let bearerToken = res.body.accessToken
config.set('auth.saltRounds', 9)

const spy = sinon.spy(bcrypt, 'hash')
const update = {
currentSecret: 'someSecret',
secret: 'aNewSecret'
}
client
.post(config.get('auth.tokenUrl'))
.put('/api/client')
.send(update)
.set('content-type', 'application/json')
.send({
clientId: testClient.clientId,
secret: 'aNewSecret'
})
.expect(200)
.set('Authorization', `Bearer ${bearerToken}`)
.expect('content-type', 'application/json')
.end((err, res) => {
if (err) return done(err)

res.body.accessToken.should.be.String

done()
res.statusCode.should.eql(200)

res.body.results.should.be.Array
res.body.results.length.should.eql(1)
res.body.results[0].clientId.should.eql(testClient.clientId)

spy.getCall(0).args[0].should.eql(update.secret)
spy.getCall(0).args[1].should.eql(9)
spy.restore()

config.set('auth.saltRounds', configBackup.auth.saltRounds)

should.not.exist(res.body.results[0].secret)

client
.post(config.get('auth.tokenUrl'))
.set('content-type', 'application/json')
.send({
clientId: testClient.clientId,
secret: 'aNewSecret'
})
.expect(200)
.expect('content-type', 'application/json')
.end((err, res) => {
if (err) return done(err)

config.set('auth.hashSecrets', configBackup.auth.hashSecrets)

res.body.accessToken.should.be.String

done()
})
})
})
})
})
})
})

it('should allow a client to update their own secret on /api/clients/{ID}', done => {
Expand Down
Loading