Merge pull request #2426 from gradido/clear-old-password-junk

refactor(backend): cleaning user related old password junk
2025-12-12 23:35:50 +00:00 · 2022-12-15 16:12:44 +01:00 · 2022-12-15 16:12:44 +01:00 · a15b985c82
commit a15b985c82
parent 2233bd9b84 1320c962ac
18 changed files with 204 additions and 2233 deletions
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@ -107,9 +107,7 @@ COPY --from=build ${DOCKER_WORKDIR}/package.json ./package.json
 COPY --from=build ${DOCKER_WORKDIR}/tsconfig.json ./tsconfig.json
 # Copy log4js-config.json to provide log configuration
 COPY --from=build ${DOCKER_WORKDIR}/log4js-config.json ./log4js-config.json
-# Copy memonic type since its referenced in the sources
-# TODO: remove
-COPY --from=build ${DOCKER_WORKDIR}/src/config/mnemonic.uncompressed_buffer13116.txt ./src/config/mnemonic.uncompressed_buffer13116.txt
+
 # Copy run scripts run/
 # COPY --from=build ${DOCKER_WORKDIR}/run ./run

--- a/backend/src/auth/CustomJwtPayload.ts
+++ b/backend/src/auth/CustomJwtPayload.ts
@ -1,5 +1,5 @@
 import { JwtPayload } from 'jsonwebtoken'

 export interface CustomJwtPayload extends JwtPayload {
-  pubKey: Buffer
+  gradidoID: string
 }
--- a/backend/src/auth/JWT.ts
+++ b/backend/src/auth/JWT.ts
@ -11,8 +11,8 @@ export const decode = (token: string): CustomJwtPayload | null => {
  }
 }

-export const encode = (pubKey: Buffer): string => {
-  const token = jwt.sign({ pubKey }, CONFIG.JWT_SECRET, {
+export const encode = (gradidoID: string): string => {
+  const token = jwt.sign({ gradidoID }, CONFIG.JWT_SECRET, {
    expiresIn: CONFIG.JWT_EXPIRES_IN,
  })
  return token
--- a/backend/src/config/index.ts
+++ b/backend/src/config/index.ts
@ -10,7 +10,7 @@ Decimal.set({
 })

 const constants = {
-  DB_VERSION: '0056-consistent_transactions_table',
+  DB_VERSION: '0057-clear_old_password_junk',
  DECAY_START_TIME: new Date('2021-05-13 17:46:31-0000'), // GMT+0
  LOG4JS_CONFIG: 'log4js-config.json',
  // default log level on production should be info
--- a/backend/src/config/mnemonic.english.txt
+++ b/backend/src/config/mnemonic.english.txt
--- a/backend/src/config/mnemonic.uncompressed_buffer13116.txt
+++ b/backend/src/config/mnemonic.uncompressed_buffer13116.txt
--- a/backend/src/graphql/directive/isAuthorized.ts
+++ b/backend/src/graphql/directive/isAuthorized.ts
@ -5,9 +5,8 @@ import { AuthChecker } from 'type-graphql'
 import { decode, encode } from '@/auth/JWT'
 import { ROLE_UNAUTHORIZED, ROLE_USER, ROLE_ADMIN } from '@/auth/ROLES'
 import { RIGHTS } from '@/auth/RIGHTS'
-import { getCustomRepository } from '@dbTools/typeorm'
-import { UserRepository } from '@repository/User'
 import { INALIENABLE_RIGHTS } from '@/auth/INALIENABLE_RIGHTS'
+import { User } from '@entity/User'

 const isAuthorized: AuthChecker<any> = async ({ context }, rights) => {
  context.role = ROLE_UNAUTHORIZED // unauthorized user
@ -26,14 +25,16 @@ const isAuthorized: AuthChecker<any> = async ({ context }, rights) => {
  if (!decoded) {
    throw new Error('403.13 - Client certificate revoked')
  }
-  // Set context pubKey
-  context.pubKey = Buffer.from(decoded.pubKey).toString('hex')
+  // Set context gradidoID
+  context.gradidoID = decoded.gradidoID

  // TODO - load from database dynamically & admin - maybe encode this in the token to prevent many database requests
  // TODO this implementation is bullshit - two database queries cause our user identifiers are not aligned and vary between email, id and pubKey
-  const userRepository = getCustomRepository(UserRepository)
  try {
-    const user = await userRepository.findByPubkeyHex(context.pubKey)
+    const user = await User.findOneOrFail({
+      where: { gradidoID: decoded.gradidoID },
+      relations: ['emailContact'],
+    })
    context.user = user
    context.role = user.isAdmin ? ROLE_ADMIN : ROLE_USER
  } catch {
@ -48,7 +49,7 @@ const isAuthorized: AuthChecker<any> = async ({ context }, rights) => {
  }

  // set new header token
-  context.setHeaders.push({ key: 'token', value: encode(decoded.pubKey) })
+  context.setHeaders.push({ key: 'token', value: encode(decoded.gradidoID) })
  return true
 }

--- a/backend/src/graphql/resolver/TransactionResolver.ts
+++ b/backend/src/graphql/resolver/TransactionResolver.ts
@ -16,12 +16,12 @@ import { Transaction } from '@model/Transaction'
 import { TransactionList } from '@model/TransactionList'
 import { Order } from '@enum/Order'
 import { TransactionTypeId } from '@enum/TransactionTypeId'
+import { calculateBalance } from '@/util/validate'
 import TransactionSendArgs from '@arg/TransactionSendArgs'
 import Paginated from '@arg/Paginated'

 import { backendLogger as logger } from '@/server/logger'
 import { Context, getUser } from '@/server/context'
-import { calculateBalance, isHexPublicKey } from '@/util/validate'
 import { RIGHTS } from '@/auth/RIGHTS'
 import { communityUser } from '@/util/communityUser'
 import { virtualLinkTransaction, virtualDecayTransaction } from '@/util/virtualTransactions'
@ -315,10 +315,6 @@ export class TransactionResolver {

    // TODO this is subject to replay attacks
    const senderUser = getUser(context)
-    if (senderUser.pubKey.length !== 32) {
-      logger.error(`invalid sender public key:${senderUser.pubKey}`)
-      throw new Error('invalid sender public key')
-    }

    // validate recipient user
    const recipientUser = await findUserByEmail(email)
@ -331,10 +327,6 @@ export class TransactionResolver {
      logger.error(`The recipient account is not activated: recipientUser=${recipientUser}`)
      throw new Error('The recipient account is not activated')
    }
-    if (!isHexPublicKey(recipientUser.pubKey.toString('hex'))) {
-      logger.error(`invalid recipient public key: recipientUser=${recipientUser}`)
-      throw new Error('invalid recipient public key')
-    }

    await executeTransaction(amount, memo, senderUser, recipientUser)
    logger.info(
--- a/backend/src/graphql/resolver/UserResolver.test.ts
+++ b/backend/src/graphql/resolver/UserResolver.test.ts
@ -138,12 +138,8 @@ describe('UserResolver', () => {
              firstName: 'Peter',
              lastName: 'Lustig',
              password: '0',
-              pubKey: null,
-              privKey: null,
-              // emailHash: expect.any(Buffer),
              createdAt: expect.any(Date),
              // emailChecked: false,
-              passphrase: expect.any(String),
              language: 'de',
              isAdmin: null,
              deletedAt: null,
--- a/backend/src/graphql/resolver/UserResolver.ts
+++ b/backend/src/graphql/resolver/UserResolver.ts
@ -1,4 +1,3 @@
-import fs from 'fs'
 import i18n from 'i18n'
 import { v4 as uuidv4 } from 'uuid'
 import {
@ -60,8 +59,8 @@ import {
  EventActivateAccount,
 } from '@/event/Event'
 import { getUserCreation, getUserCreations } from './util/creations'
+import { isValidPassword } from '@/password/EncryptorUtils'
 import { FULL_CREATION_AVAILABLE } from './const/const'
-import { isValidPassword, SecretKeyCryptographyCreateKey } from '@/password/EncryptorUtils'
 import { encryptPassword, verifyPassword } from '@/password/PasswordEncryptor'
 import { PasswordEncryptionType } from '../enum/PasswordEncryptionType'

@ -76,79 +75,6 @@ const isLanguage = (language: string): boolean => {
  return LANGUAGES.includes(language)
 }

-const PHRASE_WORD_COUNT = 24
-const WORDS = fs
-  .readFileSync('src/config/mnemonic.uncompressed_buffer13116.txt')
-  .toString()
-  .split(',')
-const PassphraseGenerate = (): string[] => {
-  logger.trace('PassphraseGenerate...')
-  const result = []
-  for (let i = 0; i < PHRASE_WORD_COUNT; i++) {
-    result.push(WORDS[sodium.randombytes_random() % 2048])
-  }
-  return result
-}
-
-const KeyPairEd25519Create = (passphrase: string[]): Buffer[] => {
-  logger.trace('KeyPairEd25519Create...')
-  if (!passphrase.length || passphrase.length < PHRASE_WORD_COUNT) {
-    logger.error('passphrase empty or to short')
-    throw new Error('passphrase empty or to short')
-  }
-
-  const state = Buffer.alloc(sodium.crypto_hash_sha512_STATEBYTES)
-  sodium.crypto_hash_sha512_init(state)
-
-  // To prevent breaking existing passphrase-hash combinations word indices will be put into 64 Bit Variable to mimic first implementation of algorithms
-  for (let i = 0; i < PHRASE_WORD_COUNT; i++) {
-    const value = Buffer.alloc(8)
-    const wordIndex = WORDS.indexOf(passphrase[i])
-    value.writeBigInt64LE(BigInt(wordIndex))
-    sodium.crypto_hash_sha512_update(state, value)
-  }
-  // trailing space is part of the login_server implementation
-  const clearPassphrase = passphrase.join(' ') + ' '
-  sodium.crypto_hash_sha512_update(state, Buffer.from(clearPassphrase))
-  const outputHashBuffer = Buffer.alloc(sodium.crypto_hash_sha512_BYTES)
-  sodium.crypto_hash_sha512_final(state, outputHashBuffer)
-
-  const pubKey = Buffer.alloc(sodium.crypto_sign_PUBLICKEYBYTES)
-  const privKey = Buffer.alloc(sodium.crypto_sign_SECRETKEYBYTES)
-
-  sodium.crypto_sign_seed_keypair(
-    pubKey,
-    privKey,
-    outputHashBuffer.slice(0, sodium.crypto_sign_SEEDBYTES),
-  )
-  logger.debug(`KeyPair creation ready. pubKey=${pubKey}`)
-
-  return [pubKey, privKey]
-}
-
-const SecretKeyCryptographyEncrypt = (message: Buffer, encryptionKey: Buffer): Buffer => {
-  logger.trace('SecretKeyCryptographyEncrypt...')
-  const encrypted = Buffer.alloc(message.length + sodium.crypto_secretbox_MACBYTES)
-  const nonce = Buffer.alloc(sodium.crypto_secretbox_NONCEBYTES)
-  nonce.fill(31) // static nonce
-
-  sodium.crypto_secretbox_easy(encrypted, message, nonce, encryptionKey)
-  logger.debug(`SecretKeyCryptographyEncrypt...successful: ${encrypted}`)
-  return encrypted
-}
-
-const SecretKeyCryptographyDecrypt = (encryptedMessage: Buffer, encryptionKey: Buffer): Buffer => {
-  logger.trace('SecretKeyCryptographyDecrypt...')
-  const message = Buffer.alloc(encryptedMessage.length - sodium.crypto_secretbox_MACBYTES)
-  const nonce = Buffer.alloc(sodium.crypto_secretbox_NONCEBYTES)
-  nonce.fill(31) // static nonce
-
-  sodium.crypto_secretbox_open_easy(message, encryptedMessage, nonce, encryptionKey)
-
-  logger.debug(`SecretKeyCryptographyDecrypt...successful: ${message}`)
-  return message
-}
-
 const newEmailContact = (email: string, userId: number): DbUserContact => {
  logger.trace(`newEmailContact...`)
  const emailContact = new DbUserContact()
@ -191,7 +117,6 @@ export class UserResolver {
    const clientTimezoneOffset = getClientTimezoneOffset(context)
    const userEntity = getUser(context)
    const user = new User(userEntity, await getUserCreation(userEntity.id, clientTimezoneOffset))
-    // user.pubkey = userEntity.pubKey.toString('hex')
    // Elopage Status & Stored PublisherId
    user.hasElopage = await this.hasElopage(context)

@ -223,11 +148,6 @@ export class UserResolver {
      // TODO we want to catch this on the frontend and ask the user to check his emails or resend code
      throw new Error('User has no password set yet')
    }
-    if (!dbUser.pubKey || !dbUser.privKey) {
-      logger.error('The User has no private or publicKey.')
-      // TODO we want to catch this on the frontend and ask the user to check his emails or resend code
-      throw new Error('User has no private or publicKey')
-    }

    if (!verifyPassword(dbUser, password)) {
      logger.error('The User has no valid credentials.')
@ -259,7 +179,7 @@ export class UserResolver {

    context.setHeaders.push({
      key: 'token',
-      value: encode(dbUser.pubKey),
+      value: encode(dbUser.gradidoID),
    })
    const ev = new EventLogin()
    ev.userId = user.id
@ -352,11 +272,6 @@ export class UserResolver {
      }
    }

-    const passphrase = PassphraseGenerate()
-    // const keyPair = KeyPairEd25519Create(passphrase) // return pub, priv Key
-    // const passwordHash = SecretKeyCryptographyCreateKey(email, password) // return short and long hash
-    // const encryptedPrivkey = SecretKeyCryptographyEncrypt(keyPair[1], passwordHash[1])
-    // const emailHash = getEmailHash(email)
    const gradidoID = await newGradidoID()

    const eventRegister = new EventRegister()
@ -370,7 +285,6 @@ export class UserResolver {
    dbUser.language = language
    dbUser.publisherId = publisherId
    dbUser.passwordEncryptionType = PasswordEncryptionType.NO_PASSWORD
-    dbUser.passphrase = passphrase.join(' ')
    logger.debug('new dbUser=' + dbUser)
    if (redeemCode) {
      if (redeemCode.match(/^CL-/)) {
@ -391,12 +305,6 @@ export class UserResolver {
        }
      }
    }
-    // TODO this field has no null allowed unlike the loginServer table
-    // dbUser.pubKey = Buffer.from(randomBytes(32)) // Buffer.alloc(32, 0) default to 0000...
-    // dbUser.pubkey = keyPair[0]
-    // loginUser.password = passwordHash[0].readBigUInt64LE() // using the shorthash
-    // loginUser.pubKey = keyPair[0]
-    // loginUser.privKey = encryptedPrivkey

    const queryRunner = getConnection().createQueryRunner()
    await queryRunner.connect()
@ -575,34 +483,12 @@ export class UserResolver {
    const user = userContact.user
    logger.debug('user with EmailVerificationCode found...')

-    // Generate Passphrase if needed
-    if (!user.passphrase) {
-      const passphrase = PassphraseGenerate()
-      user.passphrase = passphrase.join(' ')
-      logger.debug('new Passphrase generated...')
-    }
-
-    const passphrase = user.passphrase.split(' ')
-    if (passphrase.length < PHRASE_WORD_COUNT) {
-      logger.error('Could not load a correct passphrase')
-      // TODO if this can happen we cannot recover from that
-      // this seem to be good on production data, if we dont
-      // make a coding mistake we do not have a problem here
-      throw new Error('Could not load a correct passphrase')
-    }
-    logger.debug('Passphrase is valid...')
-
    // Activate EMail
    userContact.emailChecked = true

    // Update Password
    user.passwordEncryptionType = PasswordEncryptionType.GRADIDO_ID
-    const passwordHash = SecretKeyCryptographyCreateKey(userContact.email, password) // return short and long hash
-    const keyPair = KeyPairEd25519Create(passphrase) // return pub, priv Key
-    const encryptedPrivkey = SecretKeyCryptographyEncrypt(keyPair[1], passwordHash[1])
    user.password = encryptPassword(user, password)
-    user.pubKey = keyPair[0]
-    user.privKey = encryptedPrivkey
    logger.debug('User credentials updated ...')

    const queryRunner = getConnection().createQueryRunner()
@ -713,30 +599,14 @@ export class UserResolver {
        )
      }

-      // TODO: This had some error cases defined - like missing private key. This is no longer checked.
-      const oldPasswordHash = SecretKeyCryptographyCreateKey(
-        userEntity.emailContact.email,
-        password,
-      )
      if (!verifyPassword(userEntity, password)) {
        logger.error(`Old password is invalid`)
        throw new Error(`Old password is invalid`)
      }

-      const privKey = SecretKeyCryptographyDecrypt(userEntity.privKey, oldPasswordHash[1])
-      logger.debug('oldPassword decrypted...')
-      const newPasswordHash = SecretKeyCryptographyCreateKey(
-        userEntity.emailContact.email,
-        passwordNew,
-      ) // return short and long hash
-      logger.debug('newPasswordHash created...')
-      const encryptedPrivkey = SecretKeyCryptographyEncrypt(privKey, newPasswordHash[1])
-      logger.debug('PrivateKey encrypted...')
-
      // Save new password hash and newly encrypted private key
      userEntity.passwordEncryptionType = PasswordEncryptionType.GRADIDO_ID
      userEntity.password = encryptPassword(userEntity, passwordNew)
-      userEntity.privKey = encryptedPrivkey
    }

    const queryRunner = getConnection().createQueryRunner()
--- a/backend/src/typeorm/repository/User.ts
+++ b/backend/src/typeorm/repository/User.ts
@ -4,21 +4,6 @@ import { User as DbUser } from '@entity/User'

@EntityRepository(DbUser)
 export class UserRepository extends Repository<DbUser> {
-  async findByPubkeyHex(pubkeyHex: string): Promise<DbUser> {
-    const dbUser = await this.createQueryBuilder('user')
-      .leftJoinAndSelect('user.emailContact', 'emailContact')
-      .where('hex(user.pubKey) = :pubkeyHex', { pubkeyHex })
-      .getOneOrFail()
-    /*
-    const dbUser = await this.findOneOrFail(`hex(user.pubKey) = { pubkeyHex }`)
-    const emailContact = await this.query(
-      `SELECT * from user_contacts where id = { dbUser.emailId }`,
-    )
-    dbUser.emailContact = emailContact
-    */
-    return dbUser
-  }
-
  async findBySearchCriteriaPagedFiltered(
    select: string[],
    searchCriteria: string,
--- a/backend/src/util/communityUser.ts
+++ b/backend/src/util/communityUser.ts
@ -16,8 +16,6 @@ const communityDbUser: dbUser = {
  emailId: -1,
  firstName: 'Gradido',
  lastName: 'Akademie',
-  pubKey: Buffer.from(''),
-  privKey: Buffer.from(''),
  deletedAt: null,
  password: BigInt(0),
  //  emailHash: Buffer.from(''),
@ -26,7 +24,6 @@ const communityDbUser: dbUser = {
  language: '',
  isAdmin: null,
  publisherId: 0,
-  passphrase: '',
  // default password encryption type
  passwordEncryptionType: PasswordEncryptionType.NO_PASSWORD,
  hasId: function (): boolean {
--- a/backend/src/util/validate.ts
+++ b/backend/src/util/validate.ts
@ -14,10 +14,6 @@ function isStringBoolean(value: string): boolean {
  return false
 }

-function isHexPublicKey(publicKey: string): boolean {
-  return /^[0-9A-Fa-f]{64}$/i.test(publicKey)
-}
-
 async function calculateBalance(
  userId: number,
  amount: Decimal,
@ -45,4 +41,4 @@ async function calculateBalance(
  return { balance, lastTransactionId: lastTransaction.id, decay }
 }

-export { isHexPublicKey, calculateBalance, isStringBoolean }
+export { calculateBalance, isStringBoolean }
--- a/database/entity/0057-clear_old_password_junk/User.ts
+++ b/database/entity/0057-clear_old_password_junk/User.ts
@ -0,0 +1,112 @@
+import {
+  BaseEntity,
+  Entity,
+  PrimaryGeneratedColumn,
+  Column,
+  DeleteDateColumn,
+  OneToMany,
+  JoinColumn,
+  OneToOne,
+} from 'typeorm'
+import { Contribution } from '../Contribution'
+import { ContributionMessage } from '../ContributionMessage'
+import { UserContact } from '../UserContact'
+
+@Entity('users', { engine: 'InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci' })
+export class User extends BaseEntity {
+  @PrimaryGeneratedColumn('increment', { unsigned: true })
+  id: number
+
+  @Column({
+    name: 'gradido_id',
+    length: 36,
+    nullable: false,
+    collation: 'utf8mb4_unicode_ci',
+  })
+  gradidoID: string
+
+  @Column({
+    name: 'alias',
+    length: 20,
+    nullable: true,
+    default: null,
+    collation: 'utf8mb4_unicode_ci',
+  })
+  alias: string
+
+  @OneToOne(() => UserContact, (emailContact: UserContact) => emailContact.user)
+  @JoinColumn({ name: 'email_id' })
+  emailContact: UserContact
+
+  @Column({ name: 'email_id', type: 'int', unsigned: true, nullable: true, default: null })
+  emailId: number | null
+
+  @Column({
+    name: 'first_name',
+    length: 255,
+    nullable: true,
+    default: null,
+    collation: 'utf8mb4_unicode_ci',
+  })
+  firstName: string
+
+  @Column({
+    name: 'last_name',
+    length: 255,
+    nullable: true,
+    default: null,
+    collation: 'utf8mb4_unicode_ci',
+  })
+  lastName: string
+
+  @Column({ name: 'created_at', default: () => 'CURRENT_TIMESTAMP', nullable: false })
+  createdAt: Date
+
+  @DeleteDateColumn({ name: 'deleted_at', nullable: true })
+  deletedAt: Date | null
+
+  @Column({ type: 'bigint', default: 0, unsigned: true })
+  password: BigInt
+
+  @Column({
+    name: 'password_encryption_type',
+    type: 'int',
+    unsigned: true,
+    nullable: false,
+    default: 0,
+  })
+  passwordEncryptionType: number
+
+  @Column({ length: 4, default: 'de', collation: 'utf8mb4_unicode_ci', nullable: false })
+  language: string
+
+  @Column({ name: 'is_admin', type: 'datetime', nullable: true, default: null })
+  isAdmin: Date | null
+
+  @Column({ name: 'referrer_id', type: 'int', unsigned: true, nullable: true, default: null })
+  referrerId?: number | null
+
+  @Column({
+    name: 'contribution_link_id',
+    type: 'int',
+    unsigned: true,
+    nullable: true,
+    default: null,
+  })
+  contributionLinkId?: number | null
+
+  @Column({ name: 'publisher_id', default: 0 })
+  publisherId: number
+
+  @OneToMany(() => Contribution, (contribution) => contribution.user)
+  @JoinColumn({ name: 'user_id' })
+  contributions?: Contribution[]
+
+  @OneToMany(() => ContributionMessage, (message) => message.user)
+  @JoinColumn({ name: 'user_id' })
+  messages?: ContributionMessage[]
+
+  @OneToMany(() => UserContact, (userContact: UserContact) => userContact.user)
+  @JoinColumn({ name: 'user_id' })
+  userContacts?: UserContact[]
+}
--- a/database/entity/0057-clear_old_password_junk/UserContact.ts
+++ b/database/entity/0057-clear_old_password_junk/UserContact.ts
@ -0,0 +1,57 @@
+import {
+  BaseEntity,
+  Entity,
+  PrimaryGeneratedColumn,
+  Column,
+  DeleteDateColumn,
+  OneToOne,
+} from 'typeorm'
+import { User } from './User'
+
+@Entity('user_contacts', { engine: 'InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci' })
+export class UserContact extends BaseEntity {
+  @PrimaryGeneratedColumn('increment', { unsigned: true })
+  id: number
+
+  @Column({
+    name: 'type',
+    length: 100,
+    nullable: true,
+    default: null,
+    collation: 'utf8mb4_unicode_ci',
+  })
+  type: string
+
+  @OneToOne(() => User, (user) => user.emailContact)
+  user: User
+
+  @Column({ name: 'user_id', type: 'int', unsigned: true, nullable: false })
+  userId: number
+
+  @Column({ length: 255, unique: true, nullable: false, collation: 'utf8mb4_unicode_ci' })
+  email: string
+
+  @Column({ name: 'email_verification_code', type: 'bigint', unsigned: true, unique: true })
+  emailVerificationCode: BigInt
+
+  @Column({ name: 'email_opt_in_type_id' })
+  emailOptInTypeId: number
+
+  @Column({ name: 'email_resend_count' })
+  emailResendCount: number
+
+  @Column({ name: 'email_checked', type: 'bool', nullable: false, default: false })
+  emailChecked: boolean
+
+  @Column({ length: 255, unique: false, nullable: true, collation: 'utf8mb4_unicode_ci' })
+  phone: string
+
+  @Column({ name: 'created_at', default: () => 'CURRENT_TIMESTAMP', nullable: false })
+  createdAt: Date
+
+  @Column({ name: 'updated_at', nullable: true, default: null, type: 'datetime' })
+  updatedAt: Date | null
+
+  @DeleteDateColumn({ name: 'deleted_at', nullable: true })
+  deletedAt: Date | null
+}
--- a/database/entity/User.ts
+++ b/database/entity/User.ts
@ -1 +1 @@
-export { User } from './0053-change_password_encryption/User'
+export { User } from './0057-clear_old_password_junk/User'
--- a/database/entity/UserContact.ts
+++ b/database/entity/UserContact.ts
@ -1 +1 @@
-export { UserContact } from './0053-change_password_encryption/UserContact'
+export { UserContact } from './0057-clear_old_password_junk/UserContact'
--- a/database/migrations/0057-clear_old_password_junk.ts
+++ b/database/migrations/0057-clear_old_password_junk.ts
@ -0,0 +1,16 @@
+/* eslint-disable @typescript-eslint/explicit-module-boundary-types */
+/* eslint-disable @typescript-eslint/no-explicit-any */
+
+export async function upgrade(queryFn: (query: string, values?: any[]) => Promise<Array<any>>) {
+  await queryFn('ALTER TABLE users DROP COLUMN public_key;')
+  await queryFn('ALTER TABLE users DROP COLUMN privkey;')
+  await queryFn('ALTER TABLE users DROP COLUMN email_hash;')
+  await queryFn('ALTER TABLE users DROP COLUMN passphrase;')
+}
+
+export async function downgrade(queryFn: (query: string, values?: any[]) => Promise<Array<any>>) {
+  await queryFn('ALTER TABLE users ADD COLUMN public_key binary(32) DEFAULT NULL;')
+  await queryFn('ALTER TABLE users ADD COLUMN privkey binary(80) DEFAULT NULL;')
+  await queryFn('ALTER TABLE users ADD COLUMN email_hash binary(32) DEFAULT NULL;')
+  await queryFn('ALTER TABLE users ADD COLUMN passphrase text DEFAULT NULL;')
+}