From 3c859ba3038121b67fb98e87dc52617fa27cbef0 Mon Sep 17 00:00:00 2001
From: Timothy Carambat <rambat1010@gmail.com>
Date: Thu, 11 Jan 2024 10:54:55 -0800
Subject: [PATCH] Change pwd check to O(1) check to prevent timing attacks -
single user mode (#575)
Change pwd check to O(1) check to prevent timing attacks
---
frontend/src/components/Modals/Password/index.jsx | 2 +-
frontend/src/pages/Login/index.jsx | 6 +++++-
server/endpoints/system.js | 10 ++++++++--
server/utils/middleware/validatedRequest.js | 3 ++-
4 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/frontend/src/components/Modals/Password/index.jsx b/frontend/src/components/Modals/Password/index.jsx
index e98986851..00fefe4ed 100644
--- a/frontend/src/components/Modals/Password/index.jsx
+++ b/frontend/src/components/Modals/Password/index.jsx
@@ -37,7 +37,7 @@ export default function PasswordModal({ mode = "single" }) {
export function usePasswordModal() {
const [auth, setAuth] = useState({
loading: true,
- required: false,
+ requiresAuth: false,
mode: "single",
});
diff --git a/frontend/src/pages/Login/index.jsx b/frontend/src/pages/Login/index.jsx
index ec5950cbe..cf8ab2493 100644
--- a/frontend/src/pages/Login/index.jsx
+++ b/frontend/src/pages/Login/index.jsx
@@ -1,9 +1,13 @@
import React from "react";
import PasswordModal, { usePasswordModal } from "@/components/Modals/Password";
import { FullScreenLoader } from "@/components/Preloader";
+import { Navigate } from "react-router-dom";
+import paths from "@/utils/paths";
export default function Login() {
- const { loading, mode } = usePasswordModal();
+ const { loading, requiresAuth, mode } = usePasswordModal();
if (loading) return <FullScreenLoader />;
+ if (requiresAuth === false) return <Navigate to={paths.home()} />;
+
return <PasswordModal mode={mode} />;
}
diff --git a/server/endpoints/system.js b/server/endpoints/system.js
index a6acf47e6..d2a13d10f 100644
--- a/server/endpoints/system.js
+++ b/server/endpoints/system.js
@@ -107,6 +107,8 @@ function systemEndpoints(app) {
app.post("/request-token", async (request, response) => {
try {
+ const bcrypt = require("bcrypt");
+
if (await SystemSettings.isMultiUserMode()) {
const { username, password } = reqBody(request);
const existingUser = await User.get({ username });
@@ -121,7 +123,6 @@ function systemEndpoints(app) {
return;
}
- const bcrypt = require("bcrypt");
if (!bcrypt.compareSync(password, existingUser.password)) {
response.status(200).json({
user: null,
@@ -159,7 +160,12 @@ function systemEndpoints(app) {
return;
} else {
const { password } = reqBody(request);
- if (password !== process.env.AUTH_TOKEN) {
+ if (
+ !bcrypt.compareSync(
+ password,
+ bcrypt.hashSync(process.env.AUTH_TOKEN, 10)
+ )
+ ) {
response.status(401).json({
valid: false,
token: null,
diff --git a/server/utils/middleware/validatedRequest.js b/server/utils/middleware/validatedRequest.js
index 275522bb9..6f3df26da 100644
--- a/server/utils/middleware/validatedRequest.js
+++ b/server/utils/middleware/validatedRequest.js
@@ -36,8 +36,9 @@ async function validatedRequest(request, response, next) {
return;
}
+ const bcrypt = require("bcrypt");
const { p } = decodeJWT(token);
- if (p !== process.env.AUTH_TOKEN) {
+ if (!bcrypt.compareSync(p, bcrypt.hashSync(process.env.AUTH_TOKEN, 10))) {
response.status(401).json({
error: "Invalid auth token found.",
});
--
GitLab