mirror of
https://github.com/Mintplex-Labs/anything-llm.git
synced 2024-07-04 16:20:12 +02:00
Change pwd check to O(1) check to prevent timing attacks - single user mode (#575)
Change pwd check to O(1) check to prevent timing attacks
This commit is contained in:
parent
a4ace56a40
commit
3c859ba303
|
@ -37,7 +37,7 @@ export default function PasswordModal({ mode = "single" }) {
|
||||||
export function usePasswordModal() {
|
export function usePasswordModal() {
|
||||||
const [auth, setAuth] = useState({
|
const [auth, setAuth] = useState({
|
||||||
loading: true,
|
loading: true,
|
||||||
required: false,
|
requiresAuth: false,
|
||||||
mode: "single",
|
mode: "single",
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|
|
@ -1,9 +1,13 @@
|
||||||
import React from "react";
|
import React from "react";
|
||||||
import PasswordModal, { usePasswordModal } from "@/components/Modals/Password";
|
import PasswordModal, { usePasswordModal } from "@/components/Modals/Password";
|
||||||
import { FullScreenLoader } from "@/components/Preloader";
|
import { FullScreenLoader } from "@/components/Preloader";
|
||||||
|
import { Navigate } from "react-router-dom";
|
||||||
|
import paths from "@/utils/paths";
|
||||||
|
|
||||||
export default function Login() {
|
export default function Login() {
|
||||||
const { loading, mode } = usePasswordModal();
|
const { loading, requiresAuth, mode } = usePasswordModal();
|
||||||
if (loading) return <FullScreenLoader />;
|
if (loading) return <FullScreenLoader />;
|
||||||
|
if (requiresAuth === false) return <Navigate to={paths.home()} />;
|
||||||
|
|
||||||
return <PasswordModal mode={mode} />;
|
return <PasswordModal mode={mode} />;
|
||||||
}
|
}
|
||||||
|
|
|
@ -107,6 +107,8 @@ function systemEndpoints(app) {
|
||||||
|
|
||||||
app.post("/request-token", async (request, response) => {
|
app.post("/request-token", async (request, response) => {
|
||||||
try {
|
try {
|
||||||
|
const bcrypt = require("bcrypt");
|
||||||
|
|
||||||
if (await SystemSettings.isMultiUserMode()) {
|
if (await SystemSettings.isMultiUserMode()) {
|
||||||
const { username, password } = reqBody(request);
|
const { username, password } = reqBody(request);
|
||||||
const existingUser = await User.get({ username });
|
const existingUser = await User.get({ username });
|
||||||
|
@ -121,7 +123,6 @@ function systemEndpoints(app) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
const bcrypt = require("bcrypt");
|
|
||||||
if (!bcrypt.compareSync(password, existingUser.password)) {
|
if (!bcrypt.compareSync(password, existingUser.password)) {
|
||||||
response.status(200).json({
|
response.status(200).json({
|
||||||
user: null,
|
user: null,
|
||||||
|
@ -159,7 +160,12 @@ function systemEndpoints(app) {
|
||||||
return;
|
return;
|
||||||
} else {
|
} else {
|
||||||
const { password } = reqBody(request);
|
const { password } = reqBody(request);
|
||||||
if (password !== process.env.AUTH_TOKEN) {
|
if (
|
||||||
|
!bcrypt.compareSync(
|
||||||
|
password,
|
||||||
|
bcrypt.hashSync(process.env.AUTH_TOKEN, 10)
|
||||||
|
)
|
||||||
|
) {
|
||||||
response.status(401).json({
|
response.status(401).json({
|
||||||
valid: false,
|
valid: false,
|
||||||
token: null,
|
token: null,
|
||||||
|
|
|
@ -36,8 +36,9 @@ async function validatedRequest(request, response, next) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const bcrypt = require("bcrypt");
|
||||||
const { p } = decodeJWT(token);
|
const { p } = decodeJWT(token);
|
||||||
if (p !== process.env.AUTH_TOKEN) {
|
if (!bcrypt.compareSync(p, bcrypt.hashSync(process.env.AUTH_TOKEN, 10))) {
|
||||||
response.status(401).json({
|
response.status(401).json({
|
||||||
error: "Invalid auth token found.",
|
error: "Invalid auth token found.",
|
||||||
});
|
});
|
||||||
|
|
Loading…
Reference in New Issue
Block a user