From 14132783ed47bc077b6594c3a4d8f8b970919d3d Mon Sep 17 00:00:00 2001
From: Mark Powers <markppowers0@gmail.com>
Date: Thu, 19 Sep 2019 17:42:35 -0500
Subject: Add salt to password hashing

---
 src/html/admin.html |  4 ++++
 src/index.js        |  4 ++++
 src/server.js       | 12 +++++++++---
 3 files changed, 17 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/html/admin.html b/src/html/admin.html
index 01a39b4..a97af06 100644
--- a/src/html/admin.html
+++ b/src/html/admin.html
@@ -28,6 +28,10 @@
 </head>
 
 <body>
+    <h1>
+        <a class="navigation" href="/" title="marks.kitchen">&lt;</a>
+        Admin
+    </h1>
     <div>
         <h1>Create Post</h1>
         <div class="form">
diff --git a/src/index.js b/src/index.js
index 1214038..c6a5a18 100644
--- a/src/index.js
+++ b/src/index.js
@@ -68,6 +68,10 @@ function setUpModels(){
             password: {
               type: Sequelize.STRING,
               allowNull: false,
+            },
+            salt: {
+              type: Sequelize.STRING,
+              allowNull: false,
             },}),
         "requests": database.define('requests', {
             session: Sequelize.STRING,
diff --git a/src/server.js b/src/server.js
index 4355adf..0629d31 100644
--- a/src/server.js
+++ b/src/server.js
@@ -39,6 +39,12 @@ function listen(port) {
     server.listen(port, () => console.info(`Listening on port ${port}!`));
 }
 
+function hashWithSalt(password, salt){
+    var hash = crypto.createHmac('sha512', salt);
+    hash.update(password);
+    return hash.digest("base64");
+};
+
 function setUpRoutes(models, jwtFunctions, database) {
     // Authentication routine
     server.use(function (req, res, next) {
@@ -164,9 +170,9 @@ function setUpRoutes(models, jwtFunctions, database) {
         }
     })
     server.post('/login', async (req, res, next) => {
-        const hash = crypto.createHash("sha512").update(req.body.password, "binary").digest("base64");
-        const user = await models.users.findOne({ where: { username: req.body.username, password: hash } })
-        if (user) {
+        const user = await models.users.findOne({ where: { username: req.body.username} })
+        const hash = hashWithSalt(req.body.password, user.salt)
+        if (user.password == hash) {
             const token = jwtFunctions.sign(user.username);
             res.cookie('authorization', token, { expires: new Date(Date.now() + (1000 * 60 * 60)) });
             console.debug("Redirecting to admin - logged in")
-- 
cgit v1.2.3