chore: update http and login

jsjoeio · jsjoeio · commit d1d253081998 · 2021-06-02T10:31:51.000-07:00
diff --git a/src/node/http.ts b/src/node/http.ts
@@ -57,7 +57,7 @@ export const ensureAuthenticated = (req: express.Request, _?: express.Response,
 /**
  * Return true if authenticated via cookies.
  */
-export const authenticated = (req: express.Request): boolean => {
+export const authenticated = async (req: express.Request): Promise<boolean> => {
   switch (req.args.auth) {
     case AuthType.None:
       return true
@@ -67,7 +67,7 @@ export const authenticated = (req: express.Request): boolean => {
         req.cookies.key &&
         (req.args["hashed-password"]
           ? safeCompare(req.cookies.key, req.args["hashed-password"])
-          : req.args.password && isHashMatch(req.args.password, req.cookies.key))
+          : req.args.password && (await isHashMatch(req.args.password, req.cookies.key)))
       )
     default:
       throw new Error(`Unsupported auth type ${req.args.auth}`)
diff --git a/src/node/routes/login.ts b/src/node/routes/login.ts
@@ -77,7 +77,7 @@ router.post("/", async (req, res) => {
         ? isHashLegacyMatch(req.body.password, req.args["hashed-password"])
         : req.args.password && safeCompare(req.body.password, req.args.password)
     ) {
-      const hashedPassword = req.args["hashed-password"] ? hashLegacy(req.body.password) : hash(req.body.password)
+      const hashedPassword = req.args["hashed-password"] ? hashLegacy(req.body.password) : await hash(req.body.password)
       // The hash does not add any actual security but we do it for
       // obfuscation purposes (and as a side effect it handles escaping).
       res.cookie(Cookie.Key, hashedPassword, {
diff --git a/src/node/util.ts b/src/node/util.ts
@@ -1,6 +1,6 @@
 import * as cp from "child_process"
 import * as crypto from "crypto"
-import * as bcrypt from "bcrypt"
+import * as argon2 from "argon2"
 import envPaths from "env-paths"
 import { promises as fs } from "fs"
 import * as net from "net"
@@ -9,6 +9,7 @@ import * as path from "path"
 import * as util from "util"
 import xdgBasedir from "xdg-basedir"
 import safeCompare from "safe-compare"
+import { logger } from "@coder/logger"
 
 export interface Paths {
   data: string
@@ -120,15 +121,25 @@ export const generatePassword = async (length = 24): Promise<string> => {
 /**
  * Used to hash the password.
  */
-export const hash = (password: string): string => {
-  return bcrypt.hashSync(password, 10)
+export const hash = async (password: string) => {
+  try {
+    return await argon2.hash(password)
+  } catch (error) {
+    logger.error(error)
+    return ""
+  }
 }
 
 /**
  * Used to verify if the password matches the hash
  */
-export const isHashMatch = (password: string, hash: string) => {
-  return bcrypt.compareSync(password, hash)
+export const isHashMatch = async (password: string, hash: string) => {
+  try {
+    return await argon2.verify(hash, password)
+  } catch (error) {
+    logger.error(error)
+    return false
+  }
 }
 
 /**
