From 5fc8baf0e0450a850636ccac35b33a3e84472fc8 Mon Sep 17 00:00:00 2001 From: Mike Hazell Date: Wed, 27 May 2020 10:00:59 +1000 Subject: [PATCH 1/2] make simulated password self documenting --- .changeset/fluffy-baboons-relax.md | 5 +++++ packages/auth-password/index.js | 8 ++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 .changeset/fluffy-baboons-relax.md diff --git a/.changeset/fluffy-baboons-relax.md b/.changeset/fluffy-baboons-relax.md new file mode 100644 index 00000000000..3eff62e596a --- /dev/null +++ b/.changeset/fluffy-baboons-relax.md @@ -0,0 +1,5 @@ +--- +'@keystonejs/auth-password': patch +--- + +Made simulated password self-documenting diff --git a/packages/auth-password/index.js b/packages/auth-password/index.js index ce04fac5acb..62e160d109e 100644 --- a/packages/auth-password/index.js +++ b/packages/auth-password/index.js @@ -75,7 +75,9 @@ class PasswordAuthStrategy { // TODO: This should call `secretFieldInstance.compare()` to ensure it's // always consistent. // This may still leak if the workfactor for the password field has changed - const hash = await secretFieldInstance.generateHash('password1234'); + const hash = await secretFieldInstance.generateHash( + 'simulated-password-to-counter-timing-attack' + ); await secretFieldInstance.compare('', hash); return { success: false, message: '[passwordAuth:failure] Authentication failed' }; } @@ -108,7 +110,9 @@ class PasswordAuthStrategy { }; } - const hash = await secretFieldInstance.generateHash('password1234'); + const hash = await secretFieldInstance.generateHash( + 'simulated-password-to-counter-timing-attack' + ); await secretFieldInstance.compare(secret, hash); return { success: false, From 7256690f8c08e1ea3a05de3306572f9d9abf008b Mon Sep 17 00:00:00 2001 From: Mike Date: Wed, 27 May 2020 13:12:09 +1000 Subject: [PATCH 2/2] Update .changeset/fluffy-baboons-relax.md --- .changeset/fluffy-baboons-relax.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.changeset/fluffy-baboons-relax.md b/.changeset/fluffy-baboons-relax.md index 3eff62e596a..3e1ef18aa93 100644 --- a/.changeset/fluffy-baboons-relax.md +++ b/.changeset/fluffy-baboons-relax.md @@ -2,4 +2,4 @@ '@keystonejs/auth-password': patch --- -Made simulated password self-documenting +Made simulated password self-documenting.