implement dynamic bcrypt work-factor update so we can scale this up or down as...

implement dynamic bcrypt work-factor update so we can scale this up or down as we seek the optimal security/performance balance

implement dynamic bcrypt work-factor update so we can scale this up or down as...
implement dynamic bcrypt work-factor update so we can scale this up or down as we seek the optimal security/performance balance
d76edd82 · Lloyd Hilaiel · 982685b6 · d76edd82 · d76edd82 · d76edd82
Commit d76edd82 authored 13 years ago by Lloyd Hilaiel
--- a/browserid/lib/db.js
+++ b/browserid/lib/db.js
@@ -103,7 +103,8 @@ exports.onReady = function(f) {
  'checkAuth',
  'listEmails',
  'removeEmail',
-  'cancelAccount'
+  'cancelAccount',
+  'updatePassword'
 ].forEach(function(fn) {
  exports[fn] = function() {
    checkReady();

--- a/browserid/lib/db_json.js
+++ b/browserid/lib/db_json.js
@@ -238,6 +238,14 @@ exports.checkAuth = function(email, cb) {
  setTimeout(function() { cb(m) }, 0);
 };

+exports.updatePassword = function(email, hash, cb) {
+  var m = jsel.match(":root > object:has(.emails > :val(" + ESC(email) + "))", db);
+  var err = undefined;
+  if (m.length === 0) err = "no such email address";
+  else m[0].password = hash;
+  setTimeout(function() { cb(err) }, 0);
+};
+
 function emailToUserID(email, cb) {
  var id = undefined;


--- a/browserid/lib/db_mysql.js
+++ b/browserid/lib/db_mysql.js
@@ -306,6 +306,16 @@ exports.checkAuth = function(email, cb) {
    });
 }

+exports.updatePassword = function(email, hash, cb) {
+  client.query(
+    'UPDATE user SET passwd = ? WHERE id = ( SELECT user FROM email WHERE address = ? )',
+    [ hash, email ],
+    function (err, rows) {
+      if (err) logUnexpectedError(err);
+      cb((err || rows.affectedRows !== 1) ? ("no record with email " + email) : undefined);
+    });
+}
+
 /*
 * list the user's emails.
 *

--- a/browserid/lib/wsapi.js
+++ b/browserid/lib/wsapi.js
@@ -385,7 +385,18 @@ function setup(app) {
          if (!req.session) req.session = {};
          setAuthenticatedUser(req.session, req.body.email);

-          // if the work factor has changed, update the hash here
+          // if the work factor has changed, update the hash here.  issue #204
+          // NOTE: this runs asynchronously and will not delay the response
+          if (configuration.get('bcrypt_work_factor') != bcrypt.get_rounds(hash)) {
+            logger.info("updating bcrypted password for email " + req.body.email);
+            bcrypt_password(req.body.pass, function(err, hash) {
+              db.updatePassword(req.body.email, hash, function(err) {
+                if (err) {
+                  logger.error("error updating bcrypted password for email " + req.body.email, err);
+                }
+              });
+            });
+          }
        }
        resp.json({ success: success });
      });