refactor: 💡 Added passwords hashing using bcrypt

Author: kostysh

package.json

@@ -76,6 +76,7 @@
     "@types/debug": "^4.1.8",
     "@types/luxon": "^3.3.0",
     "@types/jsonwebtoken": "^9.0.2",
+    "@types/bcryptjs": "^2.4.2",
     "ts-node": "^10.9.1",
     "typescript": "^5.1.3",
     "semantic-release": "^21.0.5",
@@ -110,7 +111,8 @@
     "@trpc/server": "^10.32.0",
     "@trpc/client": "^10.32.0",
     "jsonwebtoken": "^9.0.0",
-    "zod": "^3.21.4"
+    "zod": "^3.21.4",
+    "bcryptjs": "^2.4.3"
   },
   "scripts": {
     "clean": "rm -rf ./lib",

src/node/api/db.ts

@@ -1,7 +1,9 @@
-import { Hex, keccak256 } from 'viem';
 import { z } from 'zod';
+import { hash } from 'bcryptjs';
 import { Storage } from '../../storage/index.js';
 
+export { compare as comparePassword } from 'bcryptjs';
+
 /**
  * Interface defining the properties of a User object stored in storage.
  */
@@ -39,17 +41,13 @@ export interface UsersDbOptions {
   storage: Storage;
   /** Prefix used for the storage key to avoid potential key collisions */
   prefix: string;
-  /** Salt used for hashing passwords */
-  salt: string;
 }
 
 export class UsersDb {
   /** Storage instance for persisting the state of the API server */
   storage: Storage;
   /** Specific key prefix for the storage key to avoid potential key collisions */
   prefix: string;
-  /** Salt used for hashing passwords */
-  salt: string;
 
   /**
    * Creates an instance of UsersDb.
@@ -59,26 +57,24 @@ export class UsersDb {
    * @memberof NodeApiServer
    */
   constructor(options: UsersDbOptions) {
-    const { storage, prefix, salt } = options;
+    const { storage, prefix } = options;
 
     // TODO Validate NodeApiServerOptions
 
     this.prefix = `${prefix}_api_users_`;
     this.storage = storage;
-    this.salt = salt;
   }
 
   /**
    * Hashes the given password with the given salt.
    *
    * @static
    * @param {string} password The password to be hashed
-   * @param {string} salt The salt to be used for hashing
    * @returns {string} The hashed password
    * @memberof UsersDb
    */
-  static hashPassword(password: string, salt: string): string {
-    return keccak256(`${password}${salt}` as Hex);
+  static async hashPassword(password: string): Promise<string> {
+    return await hash(password, 10);
   }
 
   /**
@@ -132,7 +128,7 @@ export class UsersDb {
     // Save the user into the storage
     await this.storage.set<User>(this.loginKey(login), {
       login,
-      hashedPassword: UsersDb.hashPassword(password, this.salt),
+      hashedPassword: await UsersDb.hashPassword(password),
       isAdmin,
     });
   }

src/node/api/router/user.ts

@@ -1,5 +1,5 @@
 import { TRPCError } from '@trpc/server';
-import { User, UserInputSchema, UsersDb } from '../db.js';
+import { User, UserInputSchema, comparePassword } from '../db.js';
 import {
   APIContext,
   router,
@@ -56,9 +56,12 @@ export const userRouter = router({
       });
     }
 
-    if (
-      user.hashedPassword !== UsersDb.hashPassword(password, server.users.salt)
-    ) {
+    const isValidPassword = await comparePassword(
+      password,
+      user.hashedPassword,
+    );
+
+    if (!isValidPassword) {
       throw new TRPCError({
         code: 'UNAUTHORIZED',
         message: 'Invalid login or password',

src/node/api/server.ts

@@ -123,12 +123,6 @@ export interface NodeApiServerOptions {
    */
   port: number;
 
-  /**
-   * A salt string used for hashing passwords. This adds an extra layer of security by
-   * making it much harder for someone to reverse-engineer the original password from the hash.
-   */
-  salt: string;
-
   /**
    * A secret string used by the application for various purposes, often for signing and verifying tokens.
    */
@@ -173,8 +167,7 @@ export class NodeApiServer {
    * @memberof NodeApiServer
    */
   constructor(options: NodeApiServerOptions) {
-    const { storage, prefix, port, salt, secret, ownerAccount, expire } =
-      options;
+    const { storage, prefix, port, secret, ownerAccount, expire } = options;
 
     // TODO Validate NodeApiServerOptions
 
@@ -184,7 +177,7 @@ export class NodeApiServer {
     this.expire = expire ?? '1h';
 
     /** Initialize the UsersDb instance with the provided options */
-    this.users = new UsersDb({ storage, prefix, salt });
+    this.users = new UsersDb({ storage, prefix });
   }
 
   /**

test/node.api.nodeApiServer.spec.ts

@@ -47,7 +47,6 @@ describe('NodeApiServer', () => {
     options = {
       storage: await createInitializer()(),
       prefix: 'test',
-      salt: 'salt',
       port: 3456,
       secret: 'secret',
       ownerAccount: owner.address,

yarn.lock

@@ -1661,6 +1661,11 @@
     "@tufjs/canonical-json" "1.0.0"
     minimatch "^9.0.0"
 
+"@types/bcryptjs@^2.4.2":
+  version "2.4.2"
+  resolved "https://registry.yarnpkg.com/@types/bcryptjs/-/bcryptjs-2.4.2.tgz#e3530eac9dd136bfdfb0e43df2c4c5ce1f77dfae"
+  integrity sha512-LiMQ6EOPob/4yUL66SZzu6Yh77cbzJFYll+ZfaPiPPFswtIlA/Fs1MzdKYA7JApHU49zQTbJGX3PDmCpIdDBRQ==
+
 "@types/chai-subset@^1.3.3":
   version "1.3.3"
   resolved "https://registry.yarnpkg.com/@types/chai-subset/-/chai-subset-1.3.3.tgz#97893814e92abd2c534de422cb377e0e0bdaac94"
@@ -2818,6 +2823,11 @@ bcrypt-pbkdf@^1.0.0:
   dependencies:
     tweetnacl "^0.14.3"
 
+bcryptjs@^2.4.3:
+  version "2.4.3"
+  resolved "https://registry.yarnpkg.com/bcryptjs/-/bcryptjs-2.4.3.tgz#9ab5627b93e60621ff7cdac5da9733027df1d0cb"
+  integrity sha512-V/Hy/X9Vt7f3BbPJEi8BdVFMByHi+jNXrYkW3huaybV/kQ0KJg0Y6PkEMbn+zeT+i+SiKZ/HMqJGIIt4LZDqNQ==
+
 before-after-hook@^2.2.0:
   version "2.2.3"
   resolved "https://registry.yarnpkg.com/before-after-hook/-/before-after-hook-2.2.3.tgz#c51e809c81a4e354084422b9b26bad88249c517c"
@@ -3764,7 +3774,7 @@ debug@^3.1.0:
   dependencies:
     ms "^2.1.1"
 
-debuglog@*, debuglog@^1.0.1:
+debuglog@^1.0.1:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/debuglog/-/debuglog-1.0.1.tgz#aa24ffb9ac3df9a2351837cfb2d279360cd78492"
   integrity sha512-syBZ+rnAK3EgMsH2aYEOLUW7mZSY9Gb+0wUMCFsZvcmiz+HigA0LOcq/HoQqVuGG+EKykunc7QG2bzrponfaSw==
@@ -5322,7 +5332,7 @@ import-lazy@^2.1.0:
   resolved "https://registry.yarnpkg.com/import-lazy/-/import-lazy-2.1.0.tgz#05698e3d45c88e8d7e9d92cb0584e77f096f3e43"
   integrity sha512-m7ZEHgtw69qOGw+jwxXkHlrlIPdTGkyh66zXZ1ajZbxkDBNjSY/LGbmjc7h0s2ELsUDTAhFr55TrPSSqJGPG0A==
 
-imurmurhash@*, imurmurhash@^0.1.4:
+imurmurhash@^0.1.4:
   version "0.1.4"
   resolved "https://registry.yarnpkg.com/imurmurhash/-/imurmurhash-0.1.4.tgz#9218b9b2b928a238b13dc4fb6b6d576f231453ea"
   integrity sha512-JmXMZ6wuvDmLiHEml9ykzqO6lwFbof0GG4IkcGaENdCRDDmMVnny7s5HsIgHCbaq0w2MyPhDqkhTUgS2LU2PHA==
@@ -6666,11 +6676,6 @@ lodash-es@^4.17.21:
   resolved "https://registry.yarnpkg.com/lodash-es/-/lodash-es-4.17.21.tgz#43e626c46e6591b7750beb2b50117390c609e3ee"
   integrity sha512-mKnC+QJ9pWVzv+C4/U3rRsHapFfHvQFoFB92e52xeyGMcX6/OlIl78je1u8vePzYZSkkogMPJ2yjxxsb89cxyw==
 
-lodash._baseindexof@*:
-  version "3.1.0"
-  resolved "https://registry.yarnpkg.com/lodash._baseindexof/-/lodash._baseindexof-3.1.0.tgz#fe52b53a1c6761e42618d654e4a25789ed61822c"
-  integrity sha512-bSYo8Pc/f0qAkr8fPJydpJjtrHiSynYfYBjtANIgXv5xEf1WlTC63dIDlgu0s9dmTvzRu1+JJTxcIAHe+sH0FQ==
-
 lodash._baseuniq@~4.6.0:
   version "4.6.0"
   resolved "https://registry.yarnpkg.com/lodash._baseuniq/-/lodash._baseuniq-4.6.0.tgz#0ebb44e456814af7905c6212fa2c9b2d51b841e8"
@@ -6679,33 +6684,11 @@ lodash._baseuniq@~4.6.0:
     lodash._createset "~4.0.0"
     lodash._root "~3.0.0"
 
-lodash._bindcallback@*:
-  version "3.0.1"
-  resolved "https://registry.yarnpkg.com/lodash._bindcallback/-/lodash._bindcallback-3.0.1.tgz#e531c27644cf8b57a99e17ed95b35c748789392e"
-  integrity sha512-2wlI0JRAGX8WEf4Gm1p/mv/SZ+jLijpj0jyaE/AXeuQphzCgD8ZQW4oSpoN8JAopujOFGU3KMuq7qfHBWlGpjQ==
-
-lodash._cacheindexof@*:
-  version "3.0.2"
-  resolved "https://registry.yarnpkg.com/lodash._cacheindexof/-/lodash._cacheindexof-3.0.2.tgz#3dc69ac82498d2ee5e3ce56091bafd2adc7bde92"
-  integrity sha512-S8dUjWr7SUT/X6TBIQ/OYoCHo1Stu1ZRy6uMUSKqzFnZp5G5RyQizSm6kvxD2Ewyy6AVfMg4AToeZzKfF99T5w==
-
-lodash._createcache@*:
-  version "3.1.2"
-  resolved "https://registry.yarnpkg.com/lodash._createcache/-/lodash._createcache-3.1.2.tgz#56d6a064017625e79ebca6b8018e17440bdcf093"
-  integrity sha512-ev5SP+iFpZOugyab/DEUQxUeZP5qyciVTlgQ1f4Vlw7VUcCD8fVnyIqVUEIaoFH9zjAqdgi69KiofzvVmda/ZQ==
-  dependencies:
-    lodash._getnative "^3.0.0"
-
 lodash._createset@~4.0.0:
   version "4.0.3"
   resolved "https://registry.yarnpkg.com/lodash._createset/-/lodash._createset-4.0.3.tgz#0f4659fbb09d75194fa9e2b88a6644d363c9fe26"
   integrity sha512-GTkC6YMprrJZCYU3zcqZj+jkXkrXzq3IPBcF/fIPpNEAB4hZEtXU8zp/RwKOvZl43NUmwDbyRk3+ZTbeRdEBXA==
 
-lodash._getnative@*, lodash._getnative@^3.0.0:
-  version "3.9.1"
-  resolved "https://registry.yarnpkg.com/lodash._getnative/-/lodash._getnative-3.9.1.tgz#570bc7dede46d61cdcde687d65d3eecbaa3aaff5"
-  integrity sha512-RrL9VxMEPyDMHOd9uFbvMe8X55X16/cGM5IgOKgRElQZutpX89iS6vwl64duTV1/16w5JY7tuFNXqoekmh1EmA==
-
 lodash._root@~3.0.0:
   version "3.0.1"
   resolved "https://registry.yarnpkg.com/lodash._root/-/lodash._root-3.0.1.tgz#fba1c4524c19ee9a5f8136b4609f017cf4ded692"
@@ -6766,11 +6749,6 @@ lodash.mergewith@^4.6.2:
   resolved "https://registry.yarnpkg.com/lodash.mergewith/-/lodash.mergewith-4.6.2.tgz#617121f89ac55f59047c7aec1ccd6654c6590f55"
   integrity sha512-GK3g5RPZWTRSeLSpgP8Xhra+pnjBC56q9FZYe1d5RN3TJ35dbkGy3YqBSMbyCrlbi+CM9Z3Jk5yTL7RCsqboyQ==
 
-lodash.restparam@*:
-  version "3.6.1"
-  resolved "https://registry.yarnpkg.com/lodash.restparam/-/lodash.restparam-3.6.1.tgz#936a4e309ef330a7645ed4145986c85ae5b20805"
-  integrity sha512-L4/arjjuq4noiUJpt3yS6KIKDtJwNe2fIYgMqyYYKoeIfV1iEqvPwhCx23o+R9dzouGihDAPN1dTIRWa7zk8tw==
-
 lodash.snakecase@^4.1.1:
   version "4.1.1"
   resolved "https://registry.yarnpkg.com/lodash.snakecase/-/lodash.snakecase-4.1.1.tgz#39d714a35357147837aefd64b5dcbb16becd8f8d"