separate _users and sl-users hashing, make _users hashing compatible with couch34

Jan Kopcsek · jkopcsek · commit 131620d7a90f · 2025-10-29T12:59:41.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,12 @@
 ## Change Log
 
+#### 0.22.X: Hashing update
+
+##### 0.22.0
+- :sparkles: separate hashing configuration of `_users` and `sl-users` passwords (there is a new `sessionHashing` object right besides `iterations`)
+- :sparkles: session validation takes all parameters of the `_users` doc into account when verifying the session (`iterations` and `pbkdf2_prf`)
+- :sparkles: new `_users` session will default to 'sha256' with 1000 iterations and 32 byte keys. To prevent couchdb from upgrading them to stronger hashes, configure `upgrade_hash_on_auth` to false or `iterations` to 1000. As the `_users` provide only temporary access and use random passwords, the time to verify the hashes with 600.000 iterations it not really worth it as couch-auth doesn't employ hash-caching as couchdb does. 
+
 #### 0.20.X: Brute force protection
 
 ##### 0.20.1
diff --git a/src/dbauth/couchdb.ts b/src/dbauth/couchdb.ts
@@ -2,29 +2,28 @@
 import { DocumentScope, ServerScope } from 'nano';
 import {
   getSecurityDoc,
-  hyphenizeUUID,
   putSecurityDoc,
   toArray
 } from '../util';
-import { hashCouchPassword, Hashing } from '../hashing';
+
 import { Config } from '../types/config';
 import { CouchDbAuthDoc } from '../types/typings';
 import { DBAdapter } from '../types/adapters';
+import { SessionHashing } from '../session-hashing';
 
 const userPrefix = 'org.couchdb.user:';
 
 export class CouchAdapter implements DBAdapter {
   couchAuthOnCloudant = false;
-  private hasher: Hashing;
   constructor(
     private couchAuthDB: DocumentScope<CouchDbAuthDoc>,
     private couch: ServerScope,
-    private config: Partial<Config>
+    private config: Partial<Config>,
+    private session: SessionHashing = new SessionHashing(config)
   ) {
     if (this.config?.dbServer.couchAuthOnCloudant) {
       this.couchAuthOnCloudant = true;
     }
-    this.hasher = new Hashing(config);
   }
 
   /**
@@ -47,22 +46,16 @@ export class CouchAdapter implements DBAdapter {
       roles = [];
     }
     roles.unshift('user:' + username);
-    let newKey: CouchDbAuthDoc = {
+    const newKey: CouchDbAuthDoc = {
       _id: userPrefix + key,
       type: 'user',
       name: key,
       user_uid: user_uid,
       user_id: username,
       expires: expires,
       roles: roles,
-      provider: provider
-    };
-    // required when using Cloudant or other db than `_users`
-    newKey.password_scheme = 'pbkdf2';
-    newKey.iterations = 10;
-    newKey = {
-      ...newKey,
-      ...(await hashCouchPassword(password))
+      provider: provider,
+      ...(await this.session.hashSessionPassword(password))
     };
 
     try {
diff --git a/src/session-hashing.ts b/src/session-hashing.ts
@@ -0,0 +1,66 @@
+'use strict';
+import pwdModule from '@sl-nx/couch-pwd';
+import { Config } from './types/config';
+import { HashResult } from './types/typings';
+
+export class SessionHashing {
+
+  static invalidErr = { status: 401, message: 'invalid token' };
+
+  // Hasher for hashing _users passwords
+  private pwdCouch: pwdModule;
+  
+  constructor(config: Partial<Config>) {
+    const iterations = config.security?.sessionHashing?.iterations || 1000;
+    const pbkdf2Prf = config.security?.sessionHashing?.pbkdf2Prf || 'sha256';
+    const keyLength = config.security?.sessionHashing?.keyLength || 32;
+    const saltLength = config.security?.sessionHashing?.saltLength || 16;
+
+    this.pwdCouch = new pwdModule(
+      iterations,
+      keyLength,
+      saltLength,
+      'hex',
+      pbkdf2Prf
+    );
+  }
+
+  // Function for hashing _users passwords
+  public hashSessionPassword(password: string): Promise<HashResult> {
+    return new Promise((resolve, reject) => {
+      this.pwdCouch.hash(password, (err, salt, hash) => {
+        if (err) {
+          return reject(err);
+        }
+        return resolve({
+          salt: salt,
+          derived_key: hash,
+          password_scheme: 'pbkdf2',
+          pbkdf2_prf: this.pwdCouch.digest,
+          iterations: this.pwdCouch.iterations
+        });
+      });
+    });
+  }
+  
+  public verifySessionPassword(hashObj: HashResult, pw: string): Promise<boolean> {
+    return new Promise((resolve, reject) => {
+      const iterations = hashObj.iterations || 10;
+      const digest = hashObj.pbkdf2_prf || 'sha1';
+      const length = digest === 'sha1' ? 20 : 32;
+      const pwdCouch = new pwdModule(iterations, length, 16, 'hex', digest);
+      
+      const salt = hashObj.salt;
+      const derived_key = hashObj.derived_key;
+      pwdCouch.hash(pw, salt, (err, hash) => {
+        if (err) {
+          return reject(err);
+        } else if (hash !== derived_key) {
+          return resolve(false);
+        } else {
+          return resolve(true);
+        }
+      });
+    });
+  }
+}
diff --git a/src/session.ts b/src/session.ts
diff --git a/src/types/config.ts b/src/types/config.ts
@@ -93,6 +93,16 @@ export interface SecurityConfig {
    * next timestamp in the array. Default: `undefined` uses only 10 iterations.
    */
   iterations?: [number, number][];
+  sessionHashing?: {
+    /** Hashing algorithm for pbkdf2, either 'sha1' or 'sha256'. Default: 'sha256' */
+    pbkdf2Prf?: 'sha1' | 'sha256';
+    /** Number of iterations for pbkdf2 password hashing. Default: 1000 */
+    iterations?: number;
+    /** Length of the derived key. Default: 32 */
+    keyLength?: number;
+    /** Length of the salt. Default: 16 */
+    saltLength?: number;
+  }
   /**
    * Whether couch-auth should handle errors itself or
    * forward to the express error mechanism (`next(err)`)
diff --git a/src/types/typings.ts b/src/types/typings.ts
@@ -57,11 +57,24 @@ export interface HashResult {
    * (`security.iterations`) that matches the creation date.
    */
   created?: number;
+
+  /**
+   * The password hashing scheme used (e.g., 'pbkdf2')
+   */
+  password_scheme?: string;
+  /**
+   * The pseudorandom function used for PBKDF2 hashing (e.g., 'sha1' or 'sha256')
+   */
+  pbkdf2_prf?: string;
+
+  /**
+   * Number of iterations used in the hashing process
+   */
+  iterations?: number;
 }
 
 export interface LocalHashObj extends HashResult {
   failedLoginAttempts?: number;
-  iterations?: number;
   lockedUntil?: number;
 }
 
diff --git a/src/user-hashing.ts b/src/user-hashing.ts
@@ -5,20 +5,10 @@ import { URLSafeUUID } from './util';
 
 const pwd = new pwdModule();
 
-export function hashCouchPassword(password: string): Promise<HashResult> {
-  return new Promise(function (resolve, reject) {
-    pwd.hash(password, function (err, salt, hash) {
-      if (err) {
-        return reject(err);
-      }
-      return resolve({
-        salt: salt,
-        derived_key: hash
-      });
-    });
-  });
-}
-export class Hashing {
+/**
+ * Class for hashing and verifying sl-user passwords
+ */
+export class UserHashing {
   hashers = [];
   times: number[] = [];
   dummyHashObject: LocalHashObj = { iterations: 10 };
diff --git a/src/user.ts b/src/user.ts
@@ -7,9 +7,9 @@ import { DocumentScope, ServerScope } from 'nano';
 import url from 'url';
 import { v4 as uuidv4 } from 'uuid';
 import { DBAuth } from './dbauth';
-import { Hashing } from './hashing';
+import { UserHashing } from './user-hashing';
 import { Mailer } from './mailer';
-import { Session } from './session';
+import { SessionHashing } from './session-hashing';
 import { Config } from './types/config';
 import {
   ConsentRequest,
@@ -50,10 +50,10 @@ export enum ValidErr {
 export class User {
   private dbAuth: DBAuth;
   private userDbManager: DbManager;
-  private session: Session;
+  private session: SessionHashing;
   private onCreateActions: SlAction[];
   private onLinkActions: SlAction[];
-  private hasher: Hashing;
+  private hasher: UserHashing;
 
   private passwordConstraints;
   /**
@@ -89,8 +89,8 @@ export class User {
     this.dbAuth = new DBAuth(config, userDB, couchServer, couchAuthDB);
     this.onCreateActions = [];
     this.onLinkActions = [];
-    this.hasher = new Hashing(config);
-    this.session = new Session(this.hasher);
+    this.hasher = new UserHashing(config);
+    this.session = new SessionHashing(config);
     this.userDbManager = new DbManager(userDB, config);
     this.passwordConstraints = config.local.passwordConstraints;
 
@@ -1341,26 +1341,25 @@ export class User {
       }
 
       if (doc.expires > Date.now()) {
-        doc._id = doc.user_id;
-        delete doc.user_id;
-        delete doc.name;
-        delete doc.type;
-        delete doc._rev;
-        delete doc.password_scheme;
-        return { key, ...(await this.session.confirmToken(doc, password)) } as {
-          key: string;
-          user_uid: string;
-          expires: number;
-          roles: string[];
-          provider: string;
-        };
+        if (await this.session.verifySessionPassword(doc, password)) {
+          return { 
+            key, 
+            _id: doc.user_id,
+            user_uid: doc.user_uid,
+            expires: doc.expires,
+            roles: doc.roles,
+            provider: doc.provider
+          };
+        } else {
+          throw SessionHashing.invalidErr;
+        }
       } else {
         this.dbAuth.removeKeys(key);
+        throw SessionHashing.invalidErr;
       }
     } catch {
-      await this.session.confirmToken({}, password);
+      throw SessionHashing.invalidErr;
     }
-    throw Session.invalidErr;
   }
 
   /**
diff --git a/test/session.spec.ts b/test/session.spec.ts
