Implement admin password hashing with bcrypt (#3754)

* Add bcrypt hashing helpers * SetAdminPassword now hashes the password before saving it * BasicAuth now compares the bcrypt hash for the password * Modify migration2 to avoid a double password hash when upgrading * Add migration for bcrypt hashed password * Do not show admin password hash as initial value * Update api tests to compare the bcrypt hash of the admin password instead * Remove old admin password api tests --------- Co-authored-by: Gabe Kangas <gabek@real-ity.com>
2024-06-27 09:20:22 +05:00
parent 51cd16dcc1
commit a7e5f20337
8 changed files with 497 additions and 3061 deletions
--- a/core/data/config.go
+++ b/core/data/config.go
@@ -115,7 +115,11 @@ func GetAdminPassword() string {

 // SetAdminPassword will set the admin password.
 func SetAdminPassword(key string) error {
-	return _datastore.SetString(adminPasswordKey, key)
+	hashed_pass, err := utils.HashPassword(key)
+	if err != nil {
+		return err
+	}
+	return _datastore.SetString(adminPasswordKey, hashed_pass)
 }

 // GetLogoPath will return the path for the logo, relative to webroot.
--- a/core/data/datastoreMigrations.go
+++ b/core/data/datastoreMigrations.go
@@ -8,7 +8,7 @@ import (
 )

 const (
-	datastoreValuesVersion   = 3
+	datastoreValuesVersion   = 4
 	datastoreValueVersionKey = "DATA_STORE_VERSION"
 )

@@ -27,6 +27,8 @@ func migrateDatastoreValues(datastore *Datastore) {
 			migrateToDatastoreValues2(datastore)
 		case 2:
 			migrateToDatastoreValues3ServingEndpoint3(datastore)
+		case 3:
+			migrateToDatastoreValues4(datastore)
 		default:
 			log.Fatalln("missing datastore values migration step")
 		}
@@ -58,7 +60,8 @@ func migrateToDatastoreValues1(datastore *Datastore) {

 func migrateToDatastoreValues2(datastore *Datastore) {
 	oldAdminPassword, _ := datastore.GetString("stream_key")
-	_ = SetAdminPassword(oldAdminPassword)
+	// Avoids double hashing the password
+	_ = datastore.SetString("admin_password_key", oldAdminPassword)
 	_ = SetStreamKeys([]models.StreamKey{
 		{Key: oldAdminPassword, Comment: "Default stream key"},
 	})
@@ -73,3 +76,11 @@ func migrateToDatastoreValues3ServingEndpoint3(_ *Datastore) {

 	_ = SetVideoServingEndpoint(s3Config.ServingEndpoint)
 }
+
+func migrateToDatastoreValues4(datastore *Datastore) {
+	unhashed_pass, _ := datastore.GetString("admin_password_key")
+	err := SetAdminPassword(unhashed_pass)
+	if err != nil {
+		log.Fatalln("error migrating admin password:", err)
+	}
+}