Merge pull request #1759 from overleaf/sk-disable-bcrypt-rounds-upgrade

Temporarily de-activate automatic upgrade of bcrypt rounds GitOrigin-RevId: 66dbe344c00253e4b6a8f883735e61d9133da62e
2024-11-07 20:31:06 -05:00 · 2019-05-15 09:18:39 +02:00 · 2019-05-15 09:18:39 +02:00 · bd722dda8e
commit bd722dda8e
parent 77de78e70b
2 changed files with 25 additions and 0 deletions
--- a/services/web/app/coffee/Features/Authentication/AuthenticationManager.coffee
+++ b/services/web/app/coffee/Features/Authentication/AuthenticationManager.coffee
@ -86,6 +86,9 @@ module.exports = AuthenticationManager =
 				return callback(new Error("Password Reset Attempt Failed"))

 	checkRounds: (user, hashedPassword, password, callback = (error) ->) ->
+		# Temporarily disable this function, TODO: re-enable this
+		if Settings?.security?.disableBcryptRoundsUpgrades
+			return callback()
 		# check current number of rounds and rehash if necessary
 		currentRounds = bcrypt.getRounds hashedPassword
 		if currentRounds < BCRYPT_ROUNDS
--- a/services/web/test/unit/coffee/Authentication/AuthenticationManagerTests.coffee
+++ b/services/web/test/unit/coffee/Authentication/AuthenticationManagerTests.coffee
@ -148,6 +148,28 @@ describe "AuthenticationManager", ->
 				it "should return the user", ->
 					@callback.calledWith(null, @user).should.equal true

+			describe "when the hashed password matches but the number of rounds is too low, but upgrades disabled", ->
+				beforeEach (done) ->
+					@settings.security.disableBcryptRoundsUpgrades = true
+					@user.hashedPassword = @hashedPassword = "asdfjadflasdf"
+					@bcrypt.compare = sinon.stub().callsArgWith(2, null, true)
+					@bcrypt.getRounds = sinon.stub().returns 7
+					@AuthenticationManager.setUserPassword = sinon.stub().callsArgWith(2, null)
+					@AuthenticationManager.authenticate email: @email, @unencryptedPassword, (error, user) =>
+						@callback(error, user)
+						done()
+
+				it "should not check the number of rounds", ->
+					@bcrypt.getRounds.called.should.equal false
+
+				it "should not set the users password (with a higher number of rounds)", ->
+					@AuthenticationManager.setUserPassword
+						.calledWith("user-id", @unencryptedPassword)
+						.should.equal false
+
+				it "should return the user", ->
+					@callback.calledWith(null, @user).should.equal true
+
 		describe "when the user does not exist in the database", ->
 			beforeEach ->
 				@User.findOne = sinon.stub().callsArgWith(1, null, null)