use async hashPassword/verifyPassword

Signed-off-by: BinotaLIU <me@binota.org>

Author: binotaliu

bin/manage_users

@@ -43,9 +43,10 @@ async function createUser (argv) {
   }
 
   const pass = getPass(argv, 'add')
+  const hashedPass = await models.User.hashPassword(pass)
 
   // Lets try to create, and check success
-  const ref = await models.User.create({ email: argv['add'], password: pass })
+  const ref = await models.User.create({ email: argv['add'], password: hashedPass })
   if (ref === undefined) {
     console.log(`Could not create user with email ${argv['add']}`)
     process.exit(1)
@@ -79,7 +80,7 @@ async function resetUser (argv) {
   const pass = getPass(argv, 'reset')
 
   // set password and save
-  existingUser.password = pass
+  existingUser.password = await models.User.hashPassword(pass)
   await existingUser.save()
   console.log(`User with email ${argv['reset']} password has been reset`)
 }

lib/auth/email/index.js

@@ -15,50 +15,56 @@ const emailAuth = module.exports = Router()
 
 passport.use(new LocalStrategy({
   usernameField: 'email'
-}, function (email, password, done) {
+}, async function (email, password, done) {
   if (!validator.isEmail(email)) return done(null, false)
-  models.User.findOne({
-    where: {
-      email: email
-    }
-  }).then(function (user) {
+
+  try {
+    const user = await models.User.findOne({
+      where: {
+        email: email
+      }
+    })
+
     if (!user) return done(null, false)
-    if (!user.verifyPassword(password)) return done(null, false)
+    if (!await user.verifyPassword(password)) return done(null, false)
     return done(null, user)
-  }).catch(function (err) {
+  } catch (err) {
     logger.error(err)
     return done(err)
-  })
+  }
 }))
 
 if (config.allowEmailRegister) {
-  emailAuth.post('/register', urlencodedParser, function (req, res, next) {
+  emailAuth.post('/register', urlencodedParser, async function (req, res, next) {
     if (!req.body.email || !req.body.password) return response.errorBadRequest(req, res)
     if (!validator.isEmail(req.body.email)) return response.errorBadRequest(req, res)
-    models.User.findOrCreate({
-      where: {
-        email: req.body.email
-      },
-      defaults: {
-        password: req.body.password
-      }
-    }).spread(function (user, created) {
-      if (user) {
-        if (created) {
-          logger.debug('user registered: ' + user.id)
-          req.flash('info', "You've successfully registered, please signin.")
-        } else {
-          logger.debug('user found: ' + user.id)
-          req.flash('error', 'This email has been used, please try another one.')
+    try {
+      const [user, created] = await models.User.findOrCreate({
+        where: {
+          email: req.body.email
+        },
+        defaults: {
+          password: await models.User.hashPassword(req.body.password)
         }
+      })
+
+      if (!user) {
+        req.flash('error', 'Failed to register your account, please try again.')
         return res.redirect(config.serverURL + '/')
       }
-      req.flash('error', 'Failed to register your account, please try again.')
+
+      if (created) {
+        logger.debug('user registered: ' + user.id)
+        req.flash('info', "You've successfully registered, please signin.")
+      } else {
+        logger.debug('user found: ' + user.id)
+        req.flash('error', 'This email has been used, please try another one.')
+      }
       return res.redirect(config.serverURL + '/')
-    }).catch(function (err) {
+    } catch (err) {
       logger.error('auth callback failed: ' + err)
       return response.errorInternalError(req, res)
-    })
+    }
   })
 }
 

lib/models/user.js

@@ -45,12 +45,12 @@ module.exports = function (sequelize, DataTypes) {
     }
   })
 
-  User.prototype.hashPassword = async function (plain) {
-    return Scrypt.kdf(plain, await Scrypt.pickParams(0.1)).toString('hex')
+  User.hashPassword = async function (plain) {
+    return (await Scrypt.kdf(plain, await Scrypt.pickParams(0.1))).toString('hex')
   }
 
   User.prototype.verifyPassword = async function (attempt) {
-    if (await Scrypt.verifyKdf(Buffer.from(this.password, 'hex'), attempt)) {
+    if (await Scrypt.verify(Buffer.from(this.password, 'hex'), attempt)) {
       return this
     }