yujunjun/strapi
1
0
Fork 0
mirror of https://github.com/strapi/strapi.git synced 2025-11-05 04:13:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12276 from thomas-br/patch-1

Browse Source 
Fixing double hashing issue for users-permissions passwords
This commit is contained in:
Jean-Sébastien Herbaux 2022-01-31 11:42:46 +01:00 committed by GitHub
commit ae5010efc2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
packages/plugins/users-permissions/server/controllers/auth.js
View File

@ -137,13 +137,8 @@ module.exports = {
throw new ValidationError('Incorrect code provided');
}
const password = await getService('user').hashPassword({ password: params.password });
await getService('user').edit(user.id, { resetPasswordToken: null, password: params.password });
// Update the user.
await strapi
.query('plugin::users-permissions.user')
.update({ where: { id: user.id }, data: { resetPasswordToken: null, password } });
ctx.send({
jwt: getService('jwt').issue({ id: user.id }),
user: await sanitizeUser(user, ctx),
@ -325,7 +320,6 @@ module.exports = {
}
params.role = role.id;
params.password = await getService('user').hashPassword(params);
const user = await strapi.query('plugin::users-permissions.user').findOne({
where: { email: params.email },
@ -344,7 +338,7 @@ module.exports = {
params.confirmed = true;
}
const user = await strapi.query('plugin::users-permissions.user').create({ data: params });
const user = await getService('user').add(params);
const sanitizedUser = await sanitizeUser(user, ctx);
@ -367,8 +361,11 @@ module.exports = {
} catch (err) {
if (_.includes(err.message, 'username')) {
throw new ApplicationError('Username already taken');
} else {
} else if (_.includes(err.message, 'email')) {
throw new ApplicationError('Email already taken');
} else {
strapi.log.error(err);
throw new ApplicationError('An error occurred during account creation');
}
}
},

45
packages/plugins/users-permissions/server/services/user.js
View File

@ -35,13 +35,10 @@ module.exports = ({ strapi }) => ({
* @return {Promise}
*/
async add(values) {
if (values.password) {
values.password = await getService('user').hashPassword(values);
}
return strapi
.query('plugin::users-permissions.user')
.create({ data: values, populate: ['role'] });
return strapi.entityService.create('plugin::users-permissions.user', {
data: values,
populate: ['role'],
});
},
/**
@ -51,10 +48,6 @@ module.exports = ({ strapi }) => ({
* @return {Promise}
*/
async edit(userId, params = {}) {
if (params.password) {
params.password = await getService('user').hashPassword(params);
}
return strapi.entityService.update('plugin::users-permissions.user', userId, {
data: params,
populate: ['role'],
@ -87,29 +80,6 @@ module.exports = ({ strapi }) => ({
return strapi.query('plugin::users-permissions.user').findMany({ where: params, populate });
},
hashPassword(user = {}) {
return new Promise((resolve, reject) => {
if (!user.password || this.isHashed(user.password)) {
resolve(null);
} else {
bcrypt.hash(`${user.password}`, 10, (err, hash) => {
if (err) {
return reject(err);
}
resolve(hash);
});
}
});
},
isHashed(password) {
if (typeof password !== 'string' || !password) {
return false;
}
return password.split('$').length === 4;
},
/**
* Promise to remove a/an user.
* @return {Promise}
@ -117,6 +87,13 @@ module.exports = ({ strapi }) => ({
async remove(params) {
return strapi.query('plugin::users-permissions.user').delete({ where: params });
},
isHashed(password) {
if (typeof password !== 'string' || !password) {
return false;
}
return password.split('$').length === 4;
},
validatePassword(password, hash) {
return bcrypt.compare(password, hash);