hash: Raise bcrypt cost factor lower bound (ory#321)

Users of this library can easily create the following: hasher := fosite.BCrypt{} hasher.Hash(..) This is a problem because WorkFactor will default to 0 and x/crypto/bcrypt will default that to 4 (See https://godoc.org/golang.org/x/crypto/bcrypt). Instead this should be some higher cost factor. Callers who need a lower WorkFactor can still lower the cost, if needed. Signed-off-by: Adam Shannon <[email protected]>
budougumi0617 · Oct 25, 2018 · 2bdc39b · 2bdc39b
1 parent 3f19d2f
commit 2bdc39b
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 1 deletion.
diff --git a/compose/config.go b/compose/config.go
@@ -108,7 +108,7 @@ func (c *Config) GetAccessTokenLifespan() time.Duration {
 // GetHashCost returns the bcrypt cost factor. Defaults to 12.
 func (c *Config) GetHashCost() int {
 	if c.HashCost == 0 {
-		return 12
+		return fosite.DefaultBCryptWorkFactor
 	}
 	return c.HashCost
 }

diff --git a/hash_bcrypt.go b/hash_bcrypt.go
@@ -28,12 +28,17 @@ import (
 	"golang.org/x/crypto/bcrypt"
 )
 
+const DefaultBCryptWorkFactor = 12
+
 // BCrypt implements the Hasher interface by using BCrypt.
 type BCrypt struct {
 	WorkFactor int
 }
 
 func (b *BCrypt) Hash(ctx context.Context, data []byte) ([]byte, error) {
+	if b.WorkFactor == 0 {
+		b.WorkFactor = DefaultBCryptWorkFactor
+	}
 	s, err := bcrypt.GenerateFromPassword(data, b.WorkFactor)
 	if err != nil {
 		return nil, errors.WithStack(err)

diff --git a/hash_bcrypt_test.go b/hash_bcrypt_test.go
@@ -26,6 +26,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"golang.org/x/crypto/bcrypt"
 )
 
 func TestCompare(t *testing.T) {
@@ -110,3 +111,17 @@ func TestHash(t *testing.T) {
 		})
 	}
 }
+
+func TestDefaultWorkFactor(t *testing.T) {
+	b := &BCrypt{}
+	data := []byte("secrets")
+	hash, err := b.Hash(context.TODO(), data)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cost, err := bcrypt.Cost(hash)
+	if cost != 12 {
+		t.Errorf("got cost factor %d", cost)
+	}
+}