Hashed and salted password storage using inbuilt Node.js crypto library pbkdf2

clintonwoo · clintonwoo · commit 744fb7e368c1 · 2017-10-04T00:35:19.000-04:00
diff --git a/README.md b/README.md
@@ -36,10 +36,12 @@ This project is a clone of hacker news rewritten with universal JavaScript, usin
 - Docker - (Container Deployment)
 
 ### Benefits
+
 **Front End**
 - Declarative UI - (react)
 - Flux State Management - (redux)
-- GraphQL Query Colocation - (react-apollo)
+- GraphQL Fragment Colocation - (react-apollo)
+- Prefetch Page Assets - (next)
 
 **Server**
 - Universal JS - (node & express)
@@ -57,6 +59,7 @@ This project is a clone of hacker news rewritten with universal JavaScript, usin
 - Hot Module Reloading - (next)
 - Snapshot Testing - (jest)
 - Faster Package Install - (yarn)
+- JS Best Practices - (eslint)
 
 
 ### Architecture Overview
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "hackernews",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "description": "A hacker news clone built from the ground up to demonstrate React and GraphQL",
   "engines": {
     "node": ">=6.9.4"
diff --git a/src/config.js b/src/config.js
@@ -16,3 +16,9 @@ export const HOST = (process.browser && window.location.host) || `${HOST_NAME}:$
 export const APP_URI = `http://${HOST}`;
 export const GRAPHQL_URL = `${APP_URI}${graphQLPath}`;
 export const GRAPHIQL_URL = `${APP_URI}${graphiQLPath}`;
+
+/*
+  Cryptography
+  https://nodejs.org/api/crypto.html#crypto_crypto_pbkdf2_password_salt_iterations_keylen_digest_callback
+*/
+export const passwordIterations = 10000;
diff --git a/src/data/models/User.js b/src/data/models/User.js
@@ -1,6 +1,13 @@
 import * as DB from '../Database';
 import * as HNDB from '../HNDataAPI';
 import cache from '../Cache';
+import {
+  createHash,
+  createSalt,
+} from '../../helpers/hashPassword';
+import {
+  passwordIterations,
+} from '../../config';
 
 export default class User {
   constructor(props) {
@@ -18,27 +25,34 @@ export default class User {
     this.likes = props.likes || [];
     this.posts = props.posts || [];
     this.password = props.password || undefined;
+    this.passwordSalt = props.passwordSalt || undefined;
   }
 
   static getUser = id => cache.getUser(id) || HNDB.fetchUser(id);
 
   static getPostsForUser = id => DB.getNewsItems()
     .filter(newsItem => newsItem.submitterId === id);
 
-  static validPassword = (id, password) => {
+  static validPassword = async (id, password) => {
     const user = cache.getUser(id);
-    if (user) return user.password === password;
+    if (user) return await createHash(password, user.passwordSalt, passwordIterations) === user.password;
     return false;
   }
 
-  static registerUser = ({ id, password }) => {
+  static registerUser = async ({ id, password }) => {
     if (id.length < 3 || id.length > 32) throw new Error('User ID must be between 3 and 32 characters.');
     if (password.length < 8 || password.length > 100) throw new Error('User password must be longer than 8 characters.');
     if (cache.getUser(id)) throw new Error('Username is taken.');
+
+    const passwordSalt = createSalt();
+    const hashedPassword = await createHash(password, passwordSalt, passwordIterations);
+
     const user = new User({
       id,
-      password,
+      password: hashedPassword,
+      passwordSalt,
     });
+
     cache.setUser(user.id, user);
     return user;
   }
diff --git a/src/helpers/hashPassword.js b/src/helpers/hashPassword.js
@@ -0,0 +1,10 @@
+import crypto from 'crypto';
+
+export const createHash = (password, salt, iterations) => new Promise((resolve, reject) => {
+  const saltBuffer = typeof salt === 'string' ? Buffer.from(salt, 'base64') : salt;
+
+  const callback = (err, derivedKey) => err ? reject(err) : resolve(derivedKey.toString('base64'));
+  crypto.pbkdf2(password, saltBuffer, iterations, 512 / 8, 'sha512', callback);
+});
+
+export const createSalt = () => crypto.randomBytes(128).toString('base64');
diff --git a/src/server.js b/src/server.js
@@ -47,7 +47,7 @@ app.prepare()
     passport.use(new LocalStrategy(
       (username, password, done) => {
         const user = User.getUser(username);
-        // if (err) { return done(err); }
+        // if (err) return done(err);
         if (!user) {
           return done(null, false, { message: 'Incorrect username.' });
         }
@@ -83,14 +83,18 @@ app.prepare()
     server.use(bodyParser.urlencoded({ extended: false }));
     server.use(passport.session());
 
-    server.post('/login', (req, res, next) => {
+    server.post('/login', async (req, res, next) => {
       if (req.body.creating) {
         if (!req.user) {
-          User.registerUser({
-            id: req.body.username,
-            password: req.body.password,
-          });
-          req.session.returnTo = `${req.body.goto}${req.body.username}`;
+          try {
+            await User.registerUser({
+              id: req.body.username,
+              password: req.body.password,
+            });
+            req.session.returnTo = `${req.body.goto}${req.body.username}`;
+          } catch (err) {
+            req.session.returnTo = '/login?how=user';
+          }
         } else req.session.returnTo = '/login?how=user';
       } else req.session.returnTo = req.body.goto;
       next();

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "hackernews",`
`3`		`- "version": "0.3.0",`
	`3`	`+ "version": "0.4.0",`
`4`	`4`	`"description": "A hacker news clone built from the ground up to demonstrate React and GraphQL",`
`5`	`5`	`"engines": {`
`6`	`6`	`"node": ">=6.9.4"`