summaryrefslogtreecommitdiff
path: root/server.js
diff options
context:
space:
mode:
authorTor Andersson <tor@ccxvii.net>2021-11-20 13:14:11 +0100
committerTor Andersson <tor@ccxvii.net>2021-11-20 13:14:24 +0100
commitf02fb77b1cb34b4622f2c90597ff616d4de65fc5 (patch)
treed138addc84cfb3f4cb74df0702f3f0e23088d2eb /server.js
parent6818805da05c4b4f0ed55d93d3bfd1af171abe47 (diff)
downloadserver-f02fb77b1cb34b4622f2c90597ff616d4de65fc5.tar.gz
Change salt when resetting password.
Diffstat (limited to 'server.js')
-rw-r--r--server.js12
1 files changed, 7 insertions, 5 deletions
diff --git a/server.js b/server.js
index ed2ba1c..cf5a9d0 100644
--- a/server.js
+++ b/server.js
@@ -201,7 +201,7 @@ const SQL_UPDATE_USER_NOTIFY = SQL("UPDATE users SET notify=? WHERE user_id=?");
const SQL_UPDATE_USER_NAME = SQL("UPDATE users SET name=? WHERE user_id=?");
const SQL_UPDATE_USER_MAIL = SQL("UPDATE users SET mail=? WHERE user_id=?");
const SQL_UPDATE_USER_ABOUT = SQL("UPDATE users SET about=? WHERE user_id=?");
-const SQL_UPDATE_USER_PASSWORD = SQL("UPDATE users SET password=? WHERE user_id=?");
+const SQL_UPDATE_USER_PASSWORD = SQL("UPDATE users SET password=?, salt=? WHERE user_id=?");
const SQL_UPDATE_USER_LAST_SEEN = SQL("INSERT OR REPLACE INTO user_last_seen (user_id,atime,aip) VALUES (?,datetime('now'),?)");
const SQL_FIND_TOKEN = SQL("SELECT token FROM tokens WHERE user_id=? AND datetime('now') < datetime(time, '+5 minutes')").pluck();
@@ -411,8 +411,9 @@ app.post('/reset_password', function (req, res) {
req.flash('message', "Invalid or expired token!");
return res.redirect('/reset_password/'+mail);
}
- let hash = hash_password(password, user.salt);
- SQL_UPDATE_USER_PASSWORD.run(hash, user.user_id);
+ let salt = crypto.randomBytes(32).toString('hex');
+ let hash = hash_password(password, salt);
+ SQL_UPDATE_USER_PASSWORD.run(hash, salt, user.user_id);
return res.redirect('/login');
});
@@ -436,8 +437,9 @@ app.post('/change_password', must_be_logged_in, function (req, res) {
req.flash('message', "Wrong password.");
return res.redirect('/change_password');
}
- let newhash = hash_password(newpass, user.salt);
- SQL_UPDATE_USER_PASSWORD.run(newhash, user.user_id);
+ let salt = crypto.randomBytes(32).toString('hex');
+ let hash = hash_password(newpass, salt);
+ SQL_UPDATE_USER_PASSWORD.run(hash, salt, user.user_id);
req.flash('message', "Your password has been updated.");
return res.redirect('/profile');
});