From 60b58143e7356f6efc6f2ec8b690c11ae4ee616b Mon Sep 17 00:00:00 2001 From: Arzumify Date: Sun, 21 Jul 2024 09:09:48 +0100 Subject: [PATCH] Made changing passwords work correctly and made the legacy password migration set the migrate flag serverside --- static/js/login.js | 16 ++++++++++++---- static/js/main.js | 37 +++++++++++++++++++++++++++++-------- 2 files changed, 41 insertions(+), 12 deletions(-) diff --git a/static/js/login.js b/static/js/login.js index 66eaaf7..b9c0abd 100644 --- a/static/js/login.js +++ b/static/js/login.js @@ -41,6 +41,7 @@ async function migrateLegacyPassword(secretKey, password) { body: JSON.stringify({ secretKey: secretKey, newPassword: password, + migration: true }), headers: { "Content-Type": "application/json; charset=UTF-8", @@ -179,10 +180,17 @@ signupButton.addEventListener("click", () => { hashLength: 32, outputType: "hex" })) - await migrateLegacyPassword(loginDataOld["key"], hashedPass) - statusBox.innerText = "Welcome back!" - await new Promise(r => setTimeout(r, 200)) - window.location.href = "/app/" + statusBox.innerText = "Migrating password..." + let status = await migrateLegacyPassword(loginDataOld["key"], hashedPass) + if (status.status === 200) { + statusBox.innerText = "Welcome back!" + await new Promise(r => setTimeout(r, 200)) + window.location.href = "/app/" + } else { + statusBox.innerText = (await status.json())["error"] + showInput(1) + showElements(true) + } } else { statusBox.innerText = loginDataOld["error"] showInput(1) diff --git a/static/js/main.js b/static/js/main.js index 9ce30fd..7ffd752 100644 --- a/static/js/main.js +++ b/static/js/main.js @@ -416,11 +416,15 @@ document.addEventListener("DOMContentLoaded", function() { } async function hashpass(pass) { - let key = pass - for (let i = 0; i < 128; i++) { - key = await hashwasm.sha3(key) - } - return key + return await hashwasm.argon2id({ + password: pass, + salt: new TextEncoder().encode("I munch Burgers!!"), + parallelism: 1, + iterations: 32, + memorySize: 19264, + hashLength: 32, + outputType: "hex" + }) } changePasswordButton.addEventListener("click", () => { @@ -435,7 +439,8 @@ document.addEventListener("DOMContentLoaded", function() { method: "POST", body: JSON.stringify({ secretKey: secretkey, - newPassword: await hashpass(oldPass) + newPassword: await hashpass(oldPass), + migration: false }), headers: { "Content-Type": "application/json; charset=UTF-8", @@ -466,7 +471,15 @@ document.addEventListener("DOMContentLoaded", function() { await waitForConfirm() const oldPass = errorInput.value errorInput.classList.add("hidden") - if (await hashwasm.sha512(oldPass) !== password) { + if (await hashwasm.argon2id({ + password: password, + salt: new TextEncoder().encode("I love Burgernotes!"), + parallelism: 1, + iterations: 32, + memorySize: 19264, + hashLength: 32, + outputType: "hex" + }) !== password) { displayError("Incorrect password!") } else { errorInput.value = "" @@ -496,7 +509,15 @@ document.addEventListener("DOMContentLoaded", function() { if (response.status === 200) { let notes = await exportNotes() let passwordBackup = password - password = await hashwasm.sha512(newPass) + password = await hashwasm.argon2id({ + password: password, + salt: new TextEncoder().encode("I love Burgernotes!"), + parallelism: 1, + iterations: 32, + memorySize: 19264, + hashLength: 32, + outputType: "hex" + }) localStorage.setItem("DONOTSHARE-password", password) let purgeNotes = await fetch(remote + "/api/purgenotes", { method: "POST",