From 471f5c60a6207338fdabc0513bd3376ce57eca53 Mon Sep 17 00:00:00 2001
From: Lloyd Hilaiel <lloyd@hilaiel.com>
Date: Wed, 22 Jun 2011 17:34:05 -0600
Subject: [PATCH] first pass at password obfuscation, issue #35

---
 browserid/lib/wsapi.js | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/browserid/lib/wsapi.js b/browserid/lib/wsapi.js
index 8c9e77ce9..bae2b79b7 100644
--- a/browserid/lib/wsapi.js
+++ b/browserid/lib/wsapi.js
@@ -4,7 +4,16 @@
 const db = require('./db.js'),
       url = require('url'),
       httputils = require('./httputils.js');
-      email = require('./email.js');
+      email = require('./email.js'),
+      crypto = require('crypto');   
+
+// md5 is used to obfuscate passwords simply so we don't store
+// users passwords in plaintext anywhere
+function obfuscatePassword(pass) {
+  var hash = crypto.createHash('sha256');
+  hash.update(pass);
+  return hash.digest('base64');
+}
 
 function checkParams(getArgs, resp, params) {
   try {
@@ -53,6 +62,8 @@ exports.stage_user = function(req, resp) {
   if (!checkParams(getArgs, resp, [ "email", "pass", "pubkey", "site" ])) {
     return;
   }
+   
+  getArgs.pass = obfuscatePassword(getArgs.pass);
 
   try {
     // upon success, stage_user returns a secret (that'll get baked into a url
@@ -102,6 +113,8 @@ exports.authenticate_user = function(req, resp) {
 
   if (!checkParams(getArgs, resp, [ "email", "pass" ])) return;
 
+  getArgs.pass = obfuscatePassword(getArgs.pass);
+
   db.checkAuth(getArgs.email, getArgs.pass, function(rv) {
     if (rv) {
       if (!req.session) req.session = {}; 
-- 
GitLab