Fix #55 Add password salt to all password-dependent store methods.

CHANGELOG.md

@@ -1,3 +1,4 @@
 # 0.6.0
 - Option to assign new roles to the user scope during creation #69
-- Fix mercutio middleware injection 
+- Fixes mercutio middleware injection 
+- Added password salt #55

package.json

@@ -30,6 +30,7 @@
     "chalk": "^1.1.3",
     "commander": "^2.9.0",
     "copy-paste": "^1.3.0",
+    "crypto-random-string": "^1.0.0",
     "express": "^4.14.0",
     "handlebars": "^4.0.6",
     "jsonwebtoken": "^7.1.9",

store/createModels/index.js

@@ -32,6 +32,7 @@ module.exports = function (db) {
 		email: { type: String, required: true, index: { unique: true }, validate: value => validator.isEmail(value) },
 		firstname: { type: String, required: false },
 		lastname: { type: String, required: false },
+		salt: { type: String, required: false },
 		password: { type: String, required: true, set: passwordHash },
 		created: { type: Date, default: Date.now },
 		updated: { type: Date, default: null },
@@ -49,6 +50,7 @@ module.exports = function (db) {
 			virtuals: true,
 			transform(doc, ret) {
 				delete ret.password;
+				delete ret.salt;
 				delete ret.__t;
 				delete ret.__v;
 				delete ret.confirmationToken;

store/query/auth.js

@@ -2,7 +2,8 @@ const _ = require('lodash');
 const passwordHash = require('../util/passwordHash');
 
 module.exports = async function(email, password) {
-	const hash = passwordHash(password);
+	const body = await this.find({ email });
+	const hash = passwordHash(password + body[0].salt);
 
 	const users = await this.find({ email, password: hash });
 	if (users.length === 0) throw new Error('Wrong e-mail or password');

store/query/change-password.js

@@ -1,10 +1,12 @@
 const passwordHash = require('../util/passwordHash');
+const salt = require('../util/salt');
 
 module.exports = async function(id, password, repeated, newPassword) {
 	const user = await this.findById(id);
-	if (passwordHash(password) === user.password) {
+	if (passwordHash(password + user.salt) === user.password) {
 		if (password === repeated) {
-			user.password = newPassword;
+			user.salt = salt();
+			user.password = newPassword + user.salt;
 			const err = await user.validateSync();
 			if (err) throw new Error(err);
 			await user.save();

store/query/insert.js

@@ -1,5 +1,6 @@
 const passwordGenerator = require('password-generator');
 const _ = require('lodash');
+const salt = require('../util/salt');
 
 function sortRoles(roles) {
 	const rolesWithoutScope = [];
@@ -26,7 +27,9 @@ function sortRoles(roles) {
 module.exports = async function(body) {
 	let rolesWithoutScope;
 	let rolesWithScope;
+	body.salt = salt();
 	body.password = (body.password) ? body.password : passwordGenerator(8);
+	body.password += body.salt;
 	if (body.roles) {
 		const sortedRoles = sortRoles(body.roles);
 		rolesWithoutScope = sortedRoles.rolesWithoutScope;

store/query/register.js

@@ -1,4 +1,8 @@
+const salt = require('../util/salt');
+
 module.exports = async function(user) {
+	user.salt = salt();
+	user.password += user.salt;
 	const rawUser = await this.create(user);
 	await this.configureDefaultRoles(rawUser._id);
 	const result = await this.get(rawUser._id);

store/util/salt.js

@@ -0,0 +1,5 @@
+const cryptoRandomString = require('crypto-random-string');
+
+module.exports = function() {
+	return cryptoRandomString(30);
+};