From bd722dda8e3b9f234cc2875d2fcef558e8c08f4b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Alby?= Date: Wed, 15 May 2019 09:18:39 +0200 Subject: [PATCH] Merge pull request #1759 from overleaf/sk-disable-bcrypt-rounds-upgrade Temporarily de-activate automatic upgrade of bcrypt rounds GitOrigin-RevId: 66dbe344c00253e4b6a8f883735e61d9133da62e --- .../AuthenticationManager.coffee | 3 +++ .../AuthenticationManagerTests.coffee | 22 +++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/services/web/app/coffee/Features/Authentication/AuthenticationManager.coffee b/services/web/app/coffee/Features/Authentication/AuthenticationManager.coffee index 8a5d3bb990..317fe00e73 100644 --- a/services/web/app/coffee/Features/Authentication/AuthenticationManager.coffee +++ b/services/web/app/coffee/Features/Authentication/AuthenticationManager.coffee @@ -86,6 +86,9 @@ module.exports = AuthenticationManager = return callback(new Error("Password Reset Attempt Failed")) checkRounds: (user, hashedPassword, password, callback = (error) ->) -> + # Temporarily disable this function, TODO: re-enable this + if Settings?.security?.disableBcryptRoundsUpgrades + return callback() # check current number of rounds and rehash if necessary currentRounds = bcrypt.getRounds hashedPassword if currentRounds < BCRYPT_ROUNDS diff --git a/services/web/test/unit/coffee/Authentication/AuthenticationManagerTests.coffee b/services/web/test/unit/coffee/Authentication/AuthenticationManagerTests.coffee index ab8bd039c5..1dea07f29a 100644 --- a/services/web/test/unit/coffee/Authentication/AuthenticationManagerTests.coffee +++ b/services/web/test/unit/coffee/Authentication/AuthenticationManagerTests.coffee @@ -148,6 +148,28 @@ describe "AuthenticationManager", -> it "should return the user", -> @callback.calledWith(null, @user).should.equal true + describe "when the hashed password matches but the number of rounds is too low, but upgrades disabled", -> + beforeEach (done) -> + @settings.security.disableBcryptRoundsUpgrades = true + @user.hashedPassword = @hashedPassword = "asdfjadflasdf" + @bcrypt.compare = sinon.stub().callsArgWith(2, null, true) + @bcrypt.getRounds = sinon.stub().returns 7 + @AuthenticationManager.setUserPassword = sinon.stub().callsArgWith(2, null) + @AuthenticationManager.authenticate email: @email, @unencryptedPassword, (error, user) => + @callback(error, user) + done() + + it "should not check the number of rounds", -> + @bcrypt.getRounds.called.should.equal false + + it "should not set the users password (with a higher number of rounds)", -> + @AuthenticationManager.setUserPassword + .calledWith("user-id", @unencryptedPassword) + .should.equal false + + it "should return the user", -> + @callback.calledWith(null, @user).should.equal true + describe "when the user does not exist in the database", -> beforeEach -> @User.findOne = sinon.stub().callsArgWith(1, null, null)