Modified the authentication stuff to grant access not based on plain password authentication but on a kind of 'timed cookies' so the password is not stored in plain text in some browser cookie.

Also modded some random string generation funtions for elegance.
2025-05-04 22:27:10 -04:00 · 2011-11-09 23:53:00 +01:00 · 2011-11-09 23:53:00 +01:00 · 082c732429
commit 082c732429
parent 4fc4a35381
3 changed files with 39 additions and 14 deletions
--- a/node/db/Pad.js
+++ b/node/db/Pad.js
@ -489,9 +489,13 @@ Class('Pad', {
      this.passwordHash = password == null ? null : hash(password, generateSalt());
      db.setSub("pad:"+this.id, ["passwordHash"], this.passwordHash);
    }, 
+	getPasswordSalt: function()
+	{
+		return this.passwordHash.split("$")[1];
+	},
    isCorrectPassword: function(password)
    {
-      return compare(this.passwordHash, password)
+      return timeSensitiveCompare(this.passwordHash, password)
    }, 
    isPasswordProtected: function()
    {
@ -512,17 +516,21 @@ function hash(password, salt)
 function generateSalt()
 {
  var len = 86;
-  var chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./";
+  var charset = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./";
  var randomstring = '';
  for (var i = 0; i < len; i++)
  {
-    var rnum = Math.floor(Math.random() * chars.length);
-    randomstring += chars.substring(rnum, rnum + 1);
+    var rnum = Math.floor(Math.random() * charset.length);
+    randomstring += charset[rnum];
  }
  return randomstring;
 }

-function compare(hashStr, password)
+/* Compare the timed password hash with the saved value.
+ * If the hash was generated too far in the past, it is rejected. */
+function timeSensitiveCompare(hashStr, password)
 {
-  return hash(password, hashStr.split("$")[1]) === hashStr;  
+  var timestamp = password.split("$")[1];
+  return password === hash(hashStr, timestamp)
+    && timestamp - new Date().getTime() > 0;
 }