Merge pull request #1759 from overleaf/sk-disable-bcrypt-rounds-upgrade

Temporarily de-activate automatic upgrade of bcrypt rounds

GitOrigin-RevId: 66dbe344c00253e4b6a8f883735e61d9133da62e
This commit is contained in:
Timothée Alby 2019-05-15 09:18:39 +02:00 committed by sharelatex
parent 77de78e70b
commit bd722dda8e
2 changed files with 25 additions and 0 deletions

View file

@ -86,6 +86,9 @@ module.exports = AuthenticationManager =
return callback(new Error("Password Reset Attempt Failed"))
checkRounds: (user, hashedPassword, password, callback = (error) ->) ->
# Temporarily disable this function, TODO: re-enable this
if Settings?.security?.disableBcryptRoundsUpgrades
return callback()
# check current number of rounds and rehash if necessary
currentRounds = bcrypt.getRounds hashedPassword
if currentRounds < BCRYPT_ROUNDS

View file

@ -148,6 +148,28 @@ describe "AuthenticationManager", ->
it "should return the user", ->
@callback.calledWith(null, @user).should.equal true
describe "when the hashed password matches but the number of rounds is too low, but upgrades disabled", ->
beforeEach (done) ->
@settings.security.disableBcryptRoundsUpgrades = true
@user.hashedPassword = @hashedPassword = "asdfjadflasdf"
@bcrypt.compare = sinon.stub().callsArgWith(2, null, true)
@bcrypt.getRounds = sinon.stub().returns 7
@AuthenticationManager.setUserPassword = sinon.stub().callsArgWith(2, null)
@AuthenticationManager.authenticate email: @email, @unencryptedPassword, (error, user) =>
@callback(error, user)
done()
it "should not check the number of rounds", ->
@bcrypt.getRounds.called.should.equal false
it "should not set the users password (with a higher number of rounds)", ->
@AuthenticationManager.setUserPassword
.calledWith("user-id", @unencryptedPassword)
.should.equal false
it "should return the user", ->
@callback.calledWith(null, @user).should.equal true
describe "when the user does not exist in the database", ->
beforeEach ->
@User.findOne = sinon.stub().callsArgWith(1, null, null)