github/overleaf
1
0
Fork 0
mirror of https://github.com/overleaf/overleaf.git synced 2024-11-21 20:47:08 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #1759 from overleaf/sk-disable-bcrypt-rounds-upgrade

Browse source 
Temporarily de-activate automatic upgrade of bcrypt rounds

GitOrigin-RevId: 66dbe344c00253e4b6a8f883735e61d9133da62e
This commit is contained in:
Timothée Alby 2019-05-15 09:18:39 +02:00 committed by sharelatex
parent 77de78e70b
commit bd722dda8e
2 changed files with 25 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
services/web/app/coffee/Features/Authentication/AuthenticationManager.coffee
View file

@ -86,6 +86,9 @@ module.exports = AuthenticationManager =
return callback(new Error("Password Reset Attempt Failed")) return callback(new Error("Password Reset Attempt Failed"))
checkRounds: (user, hashedPassword, password, callback = (error) ->) -> checkRounds: (user, hashedPassword, password, callback = (error) ->) ->
# Temporarily disable this function, TODO: re-enable this
if Settings?.security?.disableBcryptRoundsUpgrades
return callback()
# check current number of rounds and rehash if necessary # check current number of rounds and rehash if necessary
currentRounds = bcrypt.getRounds hashedPassword currentRounds = bcrypt.getRounds hashedPassword
if currentRounds < BCRYPT_ROUNDS if currentRounds < BCRYPT_ROUNDS

22
services/web/test/unit/coffee/Authentication/AuthenticationManagerTests.coffee
View file

@ -148,6 +148,28 @@ describe "AuthenticationManager", ->
it "should return the user", -> it "should return the user", ->
@callback.calledWith(null, @user).should.equal true @callback.calledWith(null, @user).should.equal true
describe "when the hashed password matches but the number of rounds is too low, but upgrades disabled", ->
beforeEach (done) ->
@settings.security.disableBcryptRoundsUpgrades = true
@user.hashedPassword = @hashedPassword = "asdfjadflasdf"
@bcrypt.compare = sinon.stub().callsArgWith(2, null, true)
@bcrypt.getRounds = sinon.stub().returns 7
@AuthenticationManager.setUserPassword = sinon.stub().callsArgWith(2, null)
@AuthenticationManager.authenticate email: @email, @unencryptedPassword, (error, user) =>
@callback(error, user)
done()
it "should not check the number of rounds", ->
@bcrypt.getRounds.called.should.equal false
it "should not set the users password (with a higher number of rounds)", ->
@AuthenticationManager.setUserPassword
.calledWith("user-id", @unencryptedPassword)
.should.equal false
it "should return the user", ->
@callback.calledWith(null, @user).should.equal true
describe "when the user does not exist in the database", -> describe "when the user does not exist in the database", ->
beforeEach -> beforeEach ->
@User.findOne = sinon.stub().callsArgWith(1, null, null) @User.findOne = sinon.stub().callsArgWith(1, null, null)