feat: use bcrypt2 to hash admin password

Author: SharzyL

README.md

@@ -54,10 +54,12 @@ If you want a private deployment (only you can upload paste, but everyone can re
 
 ```toml
 [vars.BASIC_AUTH]
-user1 = "passwd1"
-user2 = "passwd2"
+user1 = "$2b$08$i/yH1TSIGWUNQVsxPrcVUeR0hsGioFNf3.OeHdYzxwjzLH/hzoY.i"
+user2 = "$2b$08$KeVnmXoMuRjNHKQjDHppEeXAf5lTLv9HMJCTlKW5uvRcEG5LOdBpO"
 ```
 
+Passwords here are hashed by bcrypt2 algorithm. You can generate the hashed password by running `./scripts/bcrypt.js`.
+
 Now every access to POST request, and every access to static pages, requires an HTTP basic auth with the user-password pair listed above. For example:
 
 ```console

eslint.config.js

@@ -15,7 +15,7 @@ export default tseslint.config(
       },
     },
   },
-  globalIgnores(["dist/**", ".wrangler/**", "coverage/**", "worker-configuration.d.ts"]),
+  globalIgnores(["dist/**", ".wrangler/**", "coverage/**", "scripts/**", "worker-configuration.d.ts"]),
   {
     rules: {
       "no-unused-vars": "off",

package.json

@@ -54,8 +54,10 @@
     "@heroui/react": "2.8.0-beta.2",
     "@mjackson/multipart-parser": "^0.8.2",
     "@tailwindcss/vite": "^4.1.4",
+    "@types/bcrypt": "^5.0.2",
     "@types/react": "^19.1.2",
     "@types/react-dom": "^19.1.2",
+    "bcrypt-ts": "^7.0.0",
     "chardet": "^2.1.0",
     "framer-motion": "^12.7.4",
     "highlight.js": "^11.11.1",

scripts/bcrypt.js

@@ -0,0 +1,41 @@
+#!/usr/bin/env node
+
+import { hashSync } from "bcrypt-ts"
+import readline from "readline"
+
+function main() {
+  const args = process.argv.slice(2)
+  let rounds = 8
+  if (args.length === 2 && args[0] === "-n") {
+    rounds = parseInt(args[1])
+    if (isNaN(rounds)) {
+      console.error(`cannot parse ${args[1]} as integer`)
+      process.exit(1)
+    } else if (rounds < 5) {
+      console.error(`expected rounds at least 5 for security, get ${rounds}`)
+      process.exit(1)
+    } else if (rounds > 15) {
+      console.error(`expected rounds at most 15 to prevent it being too slow, get ${rounds}`)
+    }
+  }
+
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: null,
+    terminal: true,
+  })
+
+  process.stderr.write("Enter password (max 72 bytes): ")
+  rl.question("", (password) => {
+    rl.close()
+    try {
+      const hash = hashSync(password, rounds)
+      process.stdout.write("\n" + hash + "\n")
+    } catch (err) {
+      console.error(`Error: ${err.message}`)
+      process.exit(1)
+    }
+  })
+}
+
+main()

worker/pages/auth.ts

@@ -1,4 +1,5 @@
 import { atob_utf8, btoa_utf8, WorkerError } from "../common.js"
+import { compareSync } from "bcrypt-ts"
 
 // Encoding function
 export function encodeBasicAuth(username: string, password: string): string {
@@ -36,7 +37,7 @@ export function verifyAuth(request: Request, env: Env): Response | null {
 
   if (request.headers.has("Authorization")) {
     const { username, password } = decodeBasicAuth(request.headers.get("Authorization")!)
-    if (!passwdMap.has(username) || passwdMap.get(username) !== password) {
+    if (!passwdMap.has(username) || !compareSync(password, passwdMap.get(username)!)) {
       throw new WorkerError(401, "incorrect passwd for basic auth")
     } else {
       return null

worker/test/basicAuth.spec.ts

@@ -2,6 +2,7 @@ import { expect, test, it, describe, beforeEach, afterEach } from "vitest"
 import { areBlobsEqual, BASE_URL, genRandomBlob, upload, uploadExpectStatus, workerFetch } from "./testUtils"
 import { encodeBasicAuth, decodeBasicAuth } from "../pages/auth"
 import { createExecutionContext, env } from "cloudflare:test"
+import { hashSync } from "bcrypt-ts"
 
 test("basic auth encode and decode", () => {
   const userPasswdPairs = [
@@ -32,7 +33,7 @@ describe("basic auth", () => {
    ref: https://github.com/cloudflare/workers-sdk/issues/7339
   */
   beforeEach(() => {
-    env.BASIC_AUTH = users
+    env.BASIC_AUTH = Object.fromEntries(Object.entries(users).map(([user, passwd]) => [user, hashSync(passwd, 8)]))
   })
 
   afterEach(() => {

yarn.lock

@@ -3802,6 +3802,13 @@
   dependencies:
     "@babel/types" "^7.20.7"
 
+"@types/bcrypt@^5.0.2":
+  version "5.0.2"
+  resolved "https://registry.yarnpkg.com/@types/bcrypt/-/bcrypt-5.0.2.tgz#22fddc11945ea4fbc3655b3e8b8847cc9f811477"
+  integrity sha512-6atioO8Y75fNcbmj0G7UjI9lXN2pQ/IGJ2FWT4a/btd0Lk9lQalHLKhkgKVZ3r+spnmWUKfbMi1GEe9wyHQfNQ==
+  dependencies:
+    "@types/node" "*"
+
 "@types/cookie@^0.6.0":
   version "0.6.0"
   resolved "https://registry.yarnpkg.com/@types/cookie/-/cookie-0.6.0.tgz#eac397f28bf1d6ae0ae081363eca2f425bedf0d5"
@@ -3855,6 +3862,13 @@
   resolved "https://registry.yarnpkg.com/@types/ms/-/ms-2.1.0.tgz#052aa67a48eccc4309d7f0191b7e41434b90bb78"
   integrity sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==
 
+"@types/node@*":
+  version "22.15.21"
+  resolved "https://registry.yarnpkg.com/@types/node/-/node-22.15.21.tgz#196ef14fe20d87f7caf1e7b39832767f9a995b77"
+  integrity sha512-EV/37Td6c+MgKAbkcLG6vqZ2zEYHD7bvSrzqqs2RIhbA6w3x+Dqz8MZM3sP6kGTeLrdoOgKZe+Xja7tUB2DNkQ==
+  dependencies:
+    undici-types "~6.21.0"
+
 "@types/node@^22.14.1":
   version "22.15.2"
   resolved "https://registry.yarnpkg.com/@types/node/-/node-22.15.2.tgz#1db55aa64618ee93a58c8912f74beefe44aca905"
@@ -4176,6 +4190,11 @@ balanced-match@^1.0.0:
   resolved "https://registry.yarnpkg.com/balanced-match/-/balanced-match-1.0.2.tgz#e83e3a7e3f300b34cb9d87f615fa0cbf357690ee"
   integrity sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==
 
+bcrypt-ts@^7.0.0:
+  version "7.0.0"
+  resolved "https://registry.yarnpkg.com/bcrypt-ts/-/bcrypt-ts-7.0.0.tgz#2869a8747a05b147d2d495e743bafc8793d96508"
+  integrity sha512-JMr30sbKPwF+2TccaNOYJuDx+nCmnTvHGB2rwkj+To/xZhBTX9f8zpTqGy3kpkS26KWOEYPsQlOJ5MVD00RHQQ==
+
 [email protected]:
   version "0.2.14"
   resolved "https://registry.yarnpkg.com/birpc/-/birpc-0.2.14.tgz#4a5498771e6ff24cf8ae5f47faf90e76ca2fce03"