hash and salt instead of plaintext pw

murocast · Feb 29, 2020 · 09ddcac · 09ddcac
1 parent cf82b43
commit 09ddcac
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 6 deletions.
diff --git a/src/Server/Authentication.fs b/src/Server/Authentication.fs
@@ -3,6 +3,8 @@ module Castos.Auth
 open Castos
 open Castos.Configuration
 open System
+open System.Security.Cryptography
+open Microsoft.AspNetCore.Cryptography.KeyDerivation
 open Giraffe
 open Saturn
 open FSharp.Control.Tasks.V2
@@ -20,7 +22,8 @@ open FSharp.Data
 type User = {
     Id : UserId
     Email: string
-    Password: string //TODO: Hash and salt
+    PasswordHash: string
+    Salt: byte array
     Roles: string list
 }
 
@@ -43,6 +46,15 @@ type TokenResult =
         Token : string
     }
 
+let generateSalt() =
+    use rng = RandomNumberGenerator.Create()
+    let mutable (salt:byte array) = Array.zeroCreate (128 / 8) //128bit salt
+    rng.GetBytes(salt)
+    salt
+
+let calculateHash password salt =
+    Convert.ToBase64String(KeyDerivation.Pbkdf2(password, salt, KeyDerivationPrf.HMACSHA256, 10000, 256 / 8)) //256bit hash with SHA256
+
 let claimsToAuthUser (cp:ClaimsPrincipal):AuthenticatedUser =
     cp.Claims
     |> Seq.fold (fun state c -> match c.Type with
@@ -77,7 +89,7 @@ let handlePostToken authConfig (getUser:string -> Result<User option, Error>) =
 
             let user = getUser model.Email
             let result = match user with
-                             | Success (Some u) when u.Password = model.Password //TODO: Hash with salt
+                             | Success (Some u) when u.PasswordHash = calculateHash model.Password u.Salt
                                  -> json { Token = generateToken authConfig.Secret authConfig.Issuer u} next ctx
                              | _ ->
                                     ctx.Response.StatusCode <- HttpStatusCodes.Unauthorized

diff --git a/src/Server/Events.fs b/src/Server/Events.fs
@@ -66,7 +66,8 @@ and EpisodeId = int
 and UserAdded = {
     Id : UserId
     Email: string
-    Password: string
+    PasswordHash: string
+    Salt: byte array
 }
 and PasswordChanged = {
     Id: UserId

diff --git a/src/Server/UserCompositions.fs b/src/Server/UserCompositions.fs
@@ -31,9 +31,12 @@ let getUserComposition eventStore email =
     | Failure m -> fail m
 
 let addUserComposition eventStore (rendition:AddUserRendition) =
+    let salt = generateSalt()
+    let hash = calculateHash rendition.Password salt
     UserAdded { Id = Guid.NewGuid() |> UserId
                 Email = rendition.EMail
-                Password = rendition.Password } //TODO: Hash and Salt
+                PasswordHash = hash
+                Salt = salt }
     |> storeUsersEvent eventStore
 
     ok ("added user")
@@ -44,7 +47,7 @@ let smapiauthComposition (db:Database.DatabaseConnection) eventStore (rendition:
     | Failure m -> fail "Users not found"
     | Success users -> match (getUser users rendition.EMail) with
                        | None -> fail "User not found"
-                       | Some u -> let correctPassword = (u.Password = rendition.Password)
+                       | Some u -> let correctPassword = (u.PasswordHash = calculateHash rendition.Password u.Salt)
                                    let authReq = db.GetAuthRequestByLinkToken rendition.LinkCode rendition.HouseholdId
                                    let found = authReq.IsSome
                                    match (correctPassword, found) with

diff --git a/src/Server/Users.fs b/src/Server/Users.fs
@@ -7,7 +7,8 @@ let private apply state event =
     match event with
     | UserAdded data -> { Id = data.Id
                           Email = data.Email
-                          Password = data.Password
+                          PasswordHash = data.PasswordHash
+                          Salt = data.Salt
                           Roles = [] } :: state
     | _ -> failwith "unkown event"