From 72af81b6f063dde527e8a3e338c6d2b220ceff55 Mon Sep 17 00:00:00 2001
From: Cyril Tourist <github@cyriltourist.com>
Date: Wed, 4 Sep 2019 22:28:27 +0000
Subject: [PATCH] Update password stored as a SHA256 hash in cookie

---
 packages/app/browser/src/app.ts | 7 ++++++-
 packages/server/src/server.ts   | 7 ++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/packages/app/browser/src/app.ts b/packages/app/browser/src/app.ts
index 5fa8a9cb1d1c..aff0507d39f1 100644
--- a/packages/app/browser/src/app.ts
+++ b/packages/app/browser/src/app.ts
@@ -2,6 +2,7 @@
 import { MDCTextField } from "@material/textfield";
 //@ts-ignore
 import { MDCCheckbox } from "@material/checkbox";
+import { createHash } from "crypto";
 import "material-components-web/dist/material-components-web.css";
 import "./app.scss";
 
@@ -26,9 +27,13 @@ if (!form) {
 	throw new Error("No password form found");
 }
 
+const hash = (guid: string): string => {
+	return createHash("sha256").update(guid).digest("hex");
+};
+
 form.addEventListener("submit", (e) => {
 	e.preventDefault();
-	document.cookie = `password=${password.value}; `
+	document.cookie = `password=${hash(password.value)}; `
 		+ `path=${location.pathname.replace(/\/login\/?$/, "/")}; `
 		+ `domain=${location.hostname}`;
 	location.reload();
diff --git a/packages/server/src/server.ts b/packages/server/src/server.ts
index 70dbb7654028..027942cb7bbc 100644
--- a/packages/server/src/server.ts
+++ b/packages/server/src/server.ts
@@ -22,6 +22,7 @@ import * as url from "url";
 import * as ws from "ws";
 import { buildDir } from "./constants";
 import { createPortScanner } from "./portScanner";
+import { createHash } from "crypto";
 import safeCompare = require("safe-compare");
 
 interface CreateAppOptions {
@@ -87,7 +88,7 @@ export const createApp = async (options: CreateAppOptions): Promise<{
 			// Try/catch placed here just in case
 			const cookies = parseCookies(req);
 			if (cookies.password) {
-				if (!safeCompare(cookies.password, options.password)) {
+				if (!safeCompare(cookies.password, hash(options.password))) {
 					let userAgent = req.headers["user-agent"];
 					let timestamp = Math.floor(new Date().getTime() / 1000);
 					if (Array.isArray(userAgent)) {
@@ -120,6 +121,10 @@ export const createApp = async (options: CreateAppOptions): Promise<{
 		return (socket as any).encrypted;
 	};
 
+	const hash = (guid: string): string => {
+		return createHash("sha256").update(guid).digest("hex");
+	};
+
 	const app = express();
 	if (options.registerMiddleware) {
 		options.registerMiddleware(app);