From d76edd82669247a1f870101d793d5eef1b1b92a1 Mon Sep 17 00:00:00 2001
From: Lloyd Hilaiel <lloyd@hilaiel.com>
Date: Tue, 11 Oct 2011 16:24:11 -0600
Subject: [PATCH] implement dynamic bcrypt work-factor update so we can scale
 this up or down as we seek the optimal security/performance balance

---
 browserid/lib/db.js       |  3 ++-
 browserid/lib/db_json.js  |  8 ++++++++
 browserid/lib/db_mysql.js | 10 ++++++++++
 browserid/lib/wsapi.js    | 13 ++++++++++++-
 4 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/browserid/lib/db.js b/browserid/lib/db.js
index 6fb423216..4545f2f71 100644
--- a/browserid/lib/db.js
+++ b/browserid/lib/db.js
@@ -103,7 +103,8 @@ exports.onReady = function(f) {
   'checkAuth',
   'listEmails',
   'removeEmail',
-  'cancelAccount'
+  'cancelAccount',
+  'updatePassword'
 ].forEach(function(fn) {
   exports[fn] = function() {
     checkReady();
diff --git a/browserid/lib/db_json.js b/browserid/lib/db_json.js
index 1e4e7c6ac..961761a9a 100644
--- a/browserid/lib/db_json.js
+++ b/browserid/lib/db_json.js
@@ -238,6 +238,14 @@ exports.checkAuth = function(email, cb) {
   setTimeout(function() { cb(m) }, 0);
 };
 
+exports.updatePassword = function(email, hash, cb) {
+  var m = jsel.match(":root > object:has(.emails > :val(" + ESC(email) + "))", db);
+  var err = undefined;
+  if (m.length === 0) err = "no such email address";
+  else m[0].password = hash;
+  setTimeout(function() { cb(err) }, 0);
+};
+
 function emailToUserID(email, cb) {
   var id = undefined;
 
diff --git a/browserid/lib/db_mysql.js b/browserid/lib/db_mysql.js
index 04e891f86..06bd219bf 100644
--- a/browserid/lib/db_mysql.js
+++ b/browserid/lib/db_mysql.js
@@ -306,6 +306,16 @@ exports.checkAuth = function(email, cb) {
     });
 }
 
+exports.updatePassword = function(email, hash, cb) {
+  client.query(
+    'UPDATE user SET passwd = ? WHERE id = ( SELECT user FROM email WHERE address = ? )',
+    [ hash, email ],
+    function (err, rows) {
+      if (err) logUnexpectedError(err);
+      cb((err || rows.affectedRows !== 1) ? ("no record with email " + email) : undefined);
+    });
+}
+
 /*
  * list the user's emails.
  *
diff --git a/browserid/lib/wsapi.js b/browserid/lib/wsapi.js
index 0b32a37e1..9cd1bf8b0 100644
--- a/browserid/lib/wsapi.js
+++ b/browserid/lib/wsapi.js
@@ -385,7 +385,18 @@ function setup(app) {
           if (!req.session) req.session = {};
           setAuthenticatedUser(req.session, req.body.email);
 
-          // if the work factor has changed, update the hash here
+          // if the work factor has changed, update the hash here.  issue #204
+          // NOTE: this runs asynchronously and will not delay the response
+          if (configuration.get('bcrypt_work_factor') != bcrypt.get_rounds(hash)) {
+            logger.info("updating bcrypted password for email " + req.body.email);
+            bcrypt_password(req.body.pass, function(err, hash) {
+              db.updatePassword(req.body.email, hash, function(err) {
+                if (err) {
+                  logger.error("error updating bcrypted password for email " + req.body.email, err);
+                }
+              });
+            });
+          }
         }
         resp.json({ success: success });
       });
-- 
GitLab