encryption interface

2025-12-13 07:45:54 +00:00 · 2022-11-09 10:46:01 +01:00 · 2022-11-09 10:46:01 +01:00 · ac6b8e666f
commit ac6b8e666f
parent 73ced2291e
6 changed files with 110 additions and 2 deletions
--- a/backend/src/graphql/enum/PasswordEncryptionType.ts
+++ b/backend/src/graphql/enum/PasswordEncryptionType.ts
@ -0,0 +1,12 @@
+import { registerEnumType } from 'type-graphql'
+
+export enum PasswordEncryptionType {
+  EMAIL = 0,
+  ONE_TIME = 1,
+  GRADIDO_ID = 2,
+}
+
+registerEnumType(PasswordEncryptionType, {
+  name: 'PasswordEncryptionType', // this one is mandatory
+  description: 'Type of the password encryption', // this one is optional
+})
--- a/backend/src/password/EmailEncryptr.ts
+++ b/backend/src/password/EmailEncryptr.ts
@ -0,0 +1,19 @@
+import { User } from '@entity/User'
+import { PasswordEncryptr } from './PasswordEncryptr'
+import { SecretKeyCryptographyCreateKey } from './EncryptorUtils'
+
+export class EmailEncryptr implements PasswordEncryptr {
+  async encryptPassword(dbUser: User, password: string): Promise<bigint> {
+    const keyBuffer = SecretKeyCryptographyCreateKey(dbUser.emailContact.email, password) // return short and long hash
+    const passwordHash = keyBuffer[0].readBigUInt64LE()
+
+    return passwordHash
+  }
+
+  async verifyPassword(dbUser: User, password: string): Promise<boolean> {
+    if (BigInt(password) !== (await this.encryptPassword(dbUser, dbUser.password.toString()))) {
+      return false
+    }
+    return true
+  }
+}
--- a/backend/src/password/EncryptorUtils.ts
+++ b/backend/src/password/EncryptorUtils.ts
@ -0,0 +1,52 @@
+import CONFIG from '@/config'
+import { backendLogger as logger } from '@/server/logger'
+
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const sodium = require('sodium-native')
+
+// We will reuse this for changePassword
+export const isValidPassword = (password: string): boolean => {
+  return !!password.match(/^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[^a-zA-Z0-9 \\t\\n\\r]).{8,}$/)
+}
+
+export const SecretKeyCryptographyCreateKey = (salt: string, password: string): Buffer[] => {
+  logger.trace('SecretKeyCryptographyCreateKey...')
+  const configLoginAppSecret = Buffer.from(CONFIG.LOGIN_APP_SECRET, 'hex')
+  const configLoginServerKey = Buffer.from(CONFIG.LOGIN_SERVER_KEY, 'hex')
+  if (configLoginServerKey.length !== sodium.crypto_shorthash_KEYBYTES) {
+    logger.error(
+      `ServerKey has an invalid size. The size must be ${sodium.crypto_shorthash_KEYBYTES} bytes.`,
+    )
+    throw new Error(
+      `ServerKey has an invalid size. The size must be ${sodium.crypto_shorthash_KEYBYTES} bytes.`,
+    )
+  }
+
+  const state = Buffer.alloc(sodium.crypto_hash_sha512_STATEBYTES)
+  sodium.crypto_hash_sha512_init(state)
+  sodium.crypto_hash_sha512_update(state, Buffer.from(salt))
+  sodium.crypto_hash_sha512_update(state, configLoginAppSecret)
+  const hash = Buffer.alloc(sodium.crypto_hash_sha512_BYTES)
+  sodium.crypto_hash_sha512_final(state, hash)
+
+  const encryptionKey = Buffer.alloc(sodium.crypto_box_SEEDBYTES)
+  const opsLimit = 10
+  const memLimit = 33554432
+  const algo = 2
+  sodium.crypto_pwhash(
+    encryptionKey,
+    Buffer.from(password),
+    hash.slice(0, sodium.crypto_pwhash_SALTBYTES),
+    opsLimit,
+    memLimit,
+    algo,
+  )
+
+  const encryptionKeyHash = Buffer.alloc(sodium.crypto_shorthash_BYTES)
+  sodium.crypto_shorthash(encryptionKeyHash, encryptionKey, configLoginServerKey)
+
+  logger.debug(
+    `SecretKeyCryptographyCreateKey...successful: encryptionKeyHash= ${encryptionKeyHash}, encryptionKey= ${encryptionKey}`,
+  )
+  return [encryptionKeyHash, encryptionKey]
+}
--- a/backend/src/password/GradidoIDEncryptr.ts
+++ b/backend/src/password/GradidoIDEncryptr.ts
@ -0,0 +1,19 @@
+import { User } from '@entity/User'
+import { SecretKeyCryptographyCreateKey } from './EncryptorUtils'
+import { PasswordEncryptr } from './PasswordEncryptr'
+
+export class GradidoIDEncryptr implements PasswordEncryptr {
+  async encryptPassword(dbUser: User, password: string): Promise<bigint> {
+    const keyBuffer = SecretKeyCryptographyCreateKey(dbUser.gradidoID, password) // return short and long hash
+    const passwordHash = keyBuffer[0].readBigUInt64LE()
+
+    return passwordHash
+  }
+
+  async verifyPassword(dbUser: User, password: string): Promise<boolean> {
+    if (BigInt(password) !== (await this.encryptPassword(dbUser, dbUser.password.toString()))) {
+      return false
+    }
+    return true
+  }
+}
--- a/backend/src/password/PasswordEncryptr.ts
+++ b/backend/src/password/PasswordEncryptr.ts
@ -0,0 +1,6 @@
+import { User } from '@entity/User'
+
+export interface PasswordEncryptr {
+  encryptPassword(dbUser: User, password: string): Promise<bigint>
+  verifyPassword(dbUser: User, password: string): Promise<boolean>
+}
--- a/database/migrations/0053-change_password_encryption.ts
+++ b/database/migrations/0053-change_password_encryption.ts
@ -1,4 +1,4 @@
-/* MIGRATION TO ADD GRADIDO_ID
+/* MIGRATION TO ADD ENCRYPTION TO PASSWORDS
 *
 * This migration adds and renames columns to and in the table `users`
 */
@ -35,4 +35,4 @@ export async function downgrade(queryFn: (query: string, values?: any[]) => Prom
  await queryFn('ALTER TABLE users ADD COLUMN email_hash binary(32) DEFAULT NULL;')
  await queryFn('ALTER TABLE users ADD COLUMN passphrase text DEFAULT NULL;')
  */
-}
+}