authenticate_user: factor out updateHash code
After the user is authenticated, we might update the hashed password if the bcrypt work factor has been changed. To simplify the code in preparation for later changes, this patch extracts the updateHash() code out to a separate function. Note that this function must run *after* the `res.json()` call for two reasons. The first is to avoid slowing down the client (send answer first, do work later). The second is to get the right session cookie into the POST that we send to ourselves (to /wsapi/update_password) that does the actual hash updated. The session is updated in wsapi.authenticateSession, but the cookie isn't regenerated until the call to `res.json()`, and the POST is sneakily grabbing the cookie out of the response's Set-Cookie header to copy into the request-to-self.
Loading
Please register or sign in to comment