feat(security): RN-1303: Update password storage to use argon2

packages/auth/package.json

@@ -23,6 +23,7 @@
     "test:coverage": "yarn test --coverage"
   },
   "dependencies": {
+    "@node-rs/argon2": "^1.8.3",
     "@tupaia/server-utils": "workspace:*",
     "@tupaia/utils": "workspace:*",
     "jsonwebtoken": "^9.0.0",

packages/auth/src/Authenticator.js

@@ -1,14 +1,14 @@
 /**
  * Tupaia
- * Copyright (c) 2017 - 2020 Beyond Essential Systems Pty Ltd
+ * Copyright (c) 2017 - 2024 Beyond Essential Systems Pty Ltd
  */
 import randomToken from 'rand-token';
 import compareVersions from 'semver-compare';
 
 import { DatabaseError, UnauthenticatedError, UnverifiedError } from '@tupaia/utils';
 import { AccessPolicyBuilder } from './AccessPolicyBuilder';
 import { mergeAccessPolicies } from './mergeAccessPolicies';
-import { encryptPassword } from './utils';
+import { verifyPassword } from './passwordEncryption';
 import { getTokenClaims } from './userAuth';
 
 const REFRESH_TOKEN_LENGTH = 40;
@@ -47,12 +47,15 @@ export class Authenticator {
    * @param {{ username: string, secretKey: string }} apiClientCredentials
    */
   async authenticateApiClient({ username, secretKey }) {
-    const secretKeyHash = encryptPassword(secretKey, process.env.API_CLIENT_SALT);
     const apiClient = await this.models.apiClient.findOne({
       username,
-      secret_key_hash: secretKeyHash,
     });
-    if (!apiClient) {
+    const verified = await verifyPassword(
+      secretKey,
+      process.env.API_CLIENT_SALT,
+      apiClient.secret_key_hash,
+    );
+    if (!verified) {
       throw new UnauthenticatedError('Could not authenticate Api Client');
     }
     const user = await apiClient.getUser();

packages/auth/src/index.js

@@ -1,11 +1,15 @@
 /**
  * Tupaia
- * Copyright (c) 2017 - 2020 Beyond Essential Systems Pty Ltd
+ * Copyright (c) 2017 - 2024 Beyond Essential Systems Pty Ltd
  */
-
 export { Authenticator } from './Authenticator';
 export { AccessPolicyBuilder } from './AccessPolicyBuilder';
-export * from './utils';
+export {
+  encryptPassword,
+  verifyPassword,
+  hashAndSaltPassword,
+  sha256EncryptPassword,
+} from './passwordEncryption';
 export { getJwtToken, extractRefreshTokenFromReq, generateSecretKey } from './security';
 export {
   getTokenClaimsFromBearerAuth,

packages/auth/src/passwordEncryption.js

@@ -0,0 +1,49 @@
+/*
+ * Tupaia
+ *  Copyright (c) 2017 - 2024 Beyond Essential Systems Pty Ltd
+ */
+import { randomBytes } from 'crypto';
+import { hash, verify } from '@node-rs/argon2';
+import sha256 from 'sha256';
+
+/**
+ * Helper function to encrypt passwords using argon2
+ * @param password {string}
+ * @param salt {string}
+ * @returns {Promise<string>}
+ */
+export function encryptPassword(password, salt) {
+  return hash(`${password}${salt}`);
+}
+
+/**
+ * Helper function to verify passwords using argon2
+ * @param password
+ * @param salt {string}
+ * @param hash {string}
+ * @returns {Promise<boolean>}
+ */
+export async function verifyPassword(password, salt, hash) {
+  return verify(hash, `${password}${salt}`);
+}
+
+/**
+ * Helper function to hash and salt passwords using argon2
+ * @param password {string}
+ * @returns {Promise<{password_salt: string, password_hash: string}>}
+ */
+export async function hashAndSaltPassword(password) {
+  const salt = randomBytes(16).toString('base64'); // Generate a random salt
+  const encryptedPassword = await encryptPassword(password, salt);
+  return { password_hash: encryptedPassword, password_salt: salt };
+}
+
+/**
+ * Helper function to encrypt passwords using sha256
+ * @param password {string}
+ * @param salt {string}
+ * @returns {string}
+ */
+export function sha256EncryptPassword(password, salt) {
+  return sha256(`${password}${salt}`);
+}

packages/central-server/src/apiV2/changePassword.js

@@ -39,7 +39,7 @@ export async function changePassword(req, res, next) {
     if (!isTokenValid) {
       throw new FormValidationError('One time login is invalid');
     }
-  } else if (!user.checkPassword(oldPassword)) {
+  } else if (!(await user.checkPassword(oldPassword))) {
     throw new FormValidationError('Incorrect current password', ['oldPassword']);
   }
 
@@ -53,8 +53,9 @@ export async function changePassword(req, res, next) {
     throw new FormValidationError(error.message, ['password', 'passwordConfirm']);
   }
 
+  const passwordAndSalt = await hashAndSaltPassword(passwordParam);
   await models.user.updateById(userId, {
-    ...hashAndSaltPassword(passwordParam),
+    ...passwordAndSalt,
   });
 
   respond(res, { message: 'Password successfully updated' });

packages/central-server/src/apiV2/import/importUsers.js

@@ -53,9 +53,11 @@ export async function importUsers(req, res) {
           }
           emails.push(userObject.email);
           const { password, permission_group: permissionGroupName, ...restOfUser } = userObject;
+          const passwordAndSalt = await hashAndSaltPassword(password);
+
           const userToUpsert = {
             ...restOfUser,
-            ...hashAndSaltPassword(password),
+            ...passwordAndSalt,
           };
           const user = await transactingModels.user.updateOrCreate(
             { email: userObject.email },

packages/central-server/src/apiV2/middleware/auth/clientAuth.js

@@ -1,10 +1,9 @@
 /**
- * Tupaia MediTrak
- * Copyright (c) 2017 Beyond Essential Systems Pty Ltd
+ * Tupaia
+ * Copyright (c) 2017 - 2024 Beyond Essential Systems Pty Ltd
  */
-
 import { UnauthenticatedError, requireEnv } from '@tupaia/utils';
-import { encryptPassword, getUserAndPassFromBasicAuth } from '@tupaia/auth';
+import { verifyPassword, getUserAndPassFromBasicAuth } from '@tupaia/auth';
 
 export async function getAPIClientUser(authHeader, models) {
   const { username, password: secretKey } = getUserAndPassFromBasicAuth(authHeader);
@@ -15,12 +14,11 @@ export async function getAPIClientUser(authHeader, models) {
   const API_CLIENT_SALT = requireEnv('API_CLIENT_SALT');
 
   // We always need a valid client; throw if none is found
-  const secretKeyHash = encryptPassword(secretKey, API_CLIENT_SALT);
   const apiClient = await models.apiClient.findOne({
     username,
-    secret_key_hash: secretKeyHash,
   });
-  if (!apiClient) {
+  const verified = await verifyPassword(secretKey, API_CLIENT_SALT, apiClient.secret_key_hash);
+  if (!verified) {
     throw new UnauthenticatedError('Incorrect client username or secret');
   }
   return apiClient.getUser();

packages/central-server/src/apiV2/userAccounts/CreateUserAccounts.js

@@ -46,7 +46,7 @@ export class CreateUserAccounts extends CreateHandler {
         await transactingModels.apiClient.create({
           username: user.email,
           user_account_id: user.id,
-          secret_key_hash: encryptPassword(secretKey, process.env.API_CLIENT_SALT),
+          secret_key_hash: await encryptPassword(secretKey, process.env.API_CLIENT_SALT),
         });
       }
 
@@ -103,13 +103,15 @@ export class CreateUserAccounts extends CreateHandler {
       ...restOfUser
     },
   ) {
+    const passwordAndSalt = await hashAndSaltPassword(password);
+
     return transactingModels.user.create({
       first_name: firstName,
       last_name: lastName,
       email: emailAddress,
       mobile_number: contactNumber,
       primary_platform: primaryPlatform,
-      ...hashAndSaltPassword(password),
+      ...passwordAndSalt,
       verified_email: verifiedEmail,
       ...restOfUser,
     });

packages/central-server/src/apiV2/userAccounts/EditUserAccounts.js

@@ -49,11 +49,12 @@ export class EditUserAccounts extends EditHandler {
       ...restOfUpdatedFields
     } = this.updatedFields;
     let updatedFields = restOfUpdatedFields;
+    const passwordAndSalt = await hashAndSaltPassword(password);
 
     if (password) {
       updatedFields = {
         ...updatedFields,
-        ...hashAndSaltPassword(password),
+        ...passwordAndSalt,
       };
     }
 

packages/central-server/src/apiV2/utilities/emailVerification.js

@@ -3,7 +3,7 @@
  *  Copyright (c) 2017 - 2021 Beyond Essential Systems Pty Ltd
  */
 
-import { encryptPassword } from '@tupaia/auth';
+import { encryptPassword, verifyPassword } from '@tupaia/auth';
 import { sendEmail } from '@tupaia/server-utils';
 import { requireEnv } from '@tupaia/utils';
 
@@ -24,7 +24,7 @@ const EMAILS = {
 };
 
 export const sendEmailVerification = async user => {
-  const token = encryptPassword(user.email + user.password_hash, user.password_salt);
+  const token = await encryptPassword(`${user.email}${user.password_hash}`, user.password_salt);
   const platform = user.primary_platform ? user.primary_platform : 'tupaia';
   const { subject, signOff, platformName } = EMAILS[platform];
   const TUPAIA_FRONT_END_URL = requireEnv('TUPAIA_FRONT_END_URL');
@@ -59,5 +59,16 @@ export const verifyEmailHelper = async (models, searchCondition, token) => {
     verified_email: searchCondition,
   });
 
-  return users.find(x => encryptPassword(x.email + x.password_hash, x.password_salt) === token);
+  for (const user of users) {
+    const verified = await verifyPassword(
+      `${user.email}${user.password_hash}`,
+      user.password_salt,
+      token,
+    );
+
+    if (verified) {
+      return user;
+    }
+  }
+  return null;
 };

packages/central-server/src/dataAccessors/createUser.js

@@ -39,12 +39,14 @@ export const createUser = async (
         throw new Error(`No such country: ${countryName}`);
       }
 
+      const passwordAndSalt = await hashAndSaltPassword(password);
+
       const user = await transactingModels.user.create({
         first_name: firstName,
         last_name: lastName,
         email: emailAddress,
         mobile_number: contactNumber,
-        ...hashAndSaltPassword(password),
+        ...passwordAndSalt,
         verified_email: verifiedEmail,
         ...restOfUser,
       });
@@ -61,7 +63,7 @@ export const createUser = async (
         await transactingModels.apiClient.create({
           username: user.email,
           user_account_id: user.id,
-          secret_key_hash: encryptPassword(secretKey, process.env.API_CLIENT_SALT),
+          secret_key_hash: await encryptPassword(secretKey, process.env.API_CLIENT_SALT),
         });
       }
 

packages/central-server/src/database/models/UserEntityPermission.js

@@ -70,5 +70,5 @@ async function onUpsertSendPermissionGrantEmail(
 async function expireAccess({ new_record: newRecord, old_record: oldRecord }, models) {
   const userId = newRecord?.user_id || oldRecord.user_id;
   const user = await models.user.findById(userId);
-  await user.expireSessionToken('tupaia_web');
+  await user?.expireSessionToken('tupaia_web');
 }