yujunjun/strapi
1
0
Fork 0
mirror of https://github.com/strapi/strapi.git synced 2025-11-05 12:24:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12276 from thomas-br/patch-1

Browse Source 
Fixing double hashing issue for users-permissions passwords
This commit is contained in:
Jean-Sébastien Herbaux 2022-01-31 11:42:46 +01:00 committed by GitHub
commit ae5010efc2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
packages/plugins/users-permissions/server/controllers/auth.js
View File

@ -137,13 +137,8 @@ module.exports = {
throw new ValidationError('Incorrect code provided'); throw new ValidationError('Incorrect code provided');
} }
const password = await getService('user').hashPassword({ password: params.password }); await getService('user').edit(user.id, { resetPasswordToken: null, password: params.password });
// Update the user. // Update the user.
await strapi
.query('plugin::users-permissions.user')
.update({ where: { id: user.id }, data: { resetPasswordToken: null, password } });
ctx.send({ ctx.send({
jwt: getService('jwt').issue({ id: user.id }), jwt: getService('jwt').issue({ id: user.id }),
user: await sanitizeUser(user, ctx), user: await sanitizeUser(user, ctx),
@ -325,7 +320,6 @@ module.exports = {
} }
params.role = role.id; params.role = role.id;
params.password = await getService('user').hashPassword(params);
const user = await strapi.query('plugin::users-permissions.user').findOne({ const user = await strapi.query('plugin::users-permissions.user').findOne({
where: { email: params.email }, where: { email: params.email },
@ -344,7 +338,7 @@ module.exports = {
params.confirmed = true; params.confirmed = true;
} }
const user = await strapi.query('plugin::users-permissions.user').create({ data: params }); const user = await getService('user').add(params);
const sanitizedUser = await sanitizeUser(user, ctx); const sanitizedUser = await sanitizeUser(user, ctx);
@ -367,8 +361,11 @@ module.exports = {
} catch (err) { } catch (err) {
if (_.includes(err.message, 'username')) { if (_.includes(err.message, 'username')) {
throw new ApplicationError('Username already taken'); throw new ApplicationError('Username already taken');
} else { } else if (_.includes(err.message, 'email')) {
throw new ApplicationError('Email already taken'); throw new ApplicationError('Email already taken');
} else {
strapi.log.error(err);
throw new ApplicationError('An error occurred during account creation');
} }
} }
}, },

45
packages/plugins/users-permissions/server/services/user.js
View File

@ -35,13 +35,10 @@ module.exports = ({ strapi }) => ({
* @return {Promise} * @return {Promise}
*/ */
async add(values) { async add(values) {
if (values.password) { return strapi.entityService.create('plugin::users-permissions.user', {
values.password = await getService('user').hashPassword(values); data: values,
} populate: ['role'],
});
return strapi
.query('plugin::users-permissions.user')
.create({ data: values, populate: ['role'] });
}, },
/** /**
@ -51,10 +48,6 @@ module.exports = ({ strapi }) => ({
* @return {Promise} * @return {Promise}
*/ */
async edit(userId, params = {}) { async edit(userId, params = {}) {
if (params.password) {
params.password = await getService('user').hashPassword(params);
}
return strapi.entityService.update('plugin::users-permissions.user', userId, { return strapi.entityService.update('plugin::users-permissions.user', userId, {
data: params, data: params,
populate: ['role'], populate: ['role'],
@ -87,29 +80,6 @@ module.exports = ({ strapi }) => ({
return strapi.query('plugin::users-permissions.user').findMany({ where: params, populate }); return strapi.query('plugin::users-permissions.user').findMany({ where: params, populate });
}, },
hashPassword(user = {}) {
return new Promise((resolve, reject) => {
if (!user.password || this.isHashed(user.password)) {
resolve(null);
} else {
bcrypt.hash(`${user.password}`, 10, (err, hash) => {
if (err) {
return reject(err);
}
resolve(hash);
});
}
});
},
isHashed(password) {
if (typeof password !== 'string' || !password) {
return false;
}
return password.split('$').length === 4;
},
/** /**
* Promise to remove a/an user. * Promise to remove a/an user.
* @return {Promise} * @return {Promise}
@ -117,6 +87,13 @@ module.exports = ({ strapi }) => ({
async remove(params) { async remove(params) {
return strapi.query('plugin::users-permissions.user').delete({ where: params }); return strapi.query('plugin::users-permissions.user').delete({ where: params });
}, },
isHashed(password) {
if (typeof password !== 'string' || !password) {
return false;
}
return password.split('$').length === 4;
},
validatePassword(password, hash) { validatePassword(password, hash) {
return bcrypt.compare(password, hash); return bcrypt.compare(password, hash);