improve login check, #577 #434

sseide · sseide · commit 4e9f66df06fb · 2024-10-29T11:06:21.000+01:00
Signed-off-by: Stefan Seide &lt;account-github@seide.st&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -25,6 +25,7 @@
 * update ioredis from 4.28.5 to 5.4.1
 * update dependencies yargs@17.7.2, ejs@3.1.10, jstree@3.3.17, config@3.3.12, body-parser@1.20.3
 * update "@cyclonedx/cyclonedx-npm"@1.19.3
+* improve password login check and prevent timing attacks on username check
 
 ## Version 0.8.1
 #### Bugfixes
diff --git a/lib/app.js b/lib/app.js
@@ -18,7 +18,7 @@ let config = require('config');
 
 
 function comparePasswords(a, b) {
-  // make shure booth buffers have same length and make time comparision attacks to
+  // make sure booth buffers have same length and make time comparison attacks to
   // guess pw length harder by calculation fixed length hmacs first
   let key = crypto.pseudoRandomBytes(32);
   let bufA = crypto.createHmac('sha256', key).update(a).digest();
@@ -232,13 +232,13 @@ module.exports = function (_redisConnections) {
         // signin with username and password
         // explicit casts as fix for possible numeric username or password
         // no fast exit on wrong username to let evil guy not guess existing ones
-        let validUser = true;
+        let validUser = false;
         let validPass = false;
-        if (String(req.body.username) !== String(config.get('server.httpAuth.username'))) {
-          validUser = false;
+        if (comparePasswords(String(req.body.username), String(config.get('server.httpAuth.username')))) {
+          validUser = true;
         }
         if (config.get('server.httpAuth.passwordHash')) {
-          validPass = bcrypt.compare(String(req.body.password), String(config.get('server.httpAuth.passwordHash')))
+          validPass = bcrypt.compareSync(String(req.body.password), String(config.get('server.httpAuth.passwordHash')))
         }
         else {
           // prevent empty passwords
