[BREAKING CHANGE] Improve security

2017-01-06 11:50:46 +09:00
parent 86548f6468
commit 9458245382
5 changed files with 19 additions and 3 deletions
--- a/src/api/authenticate.ts
+++ b/src/api/authenticate.ts
@ -43,7 +43,7 @@ export default (req: express.Request) => new Promise<IAuthContext>(async (resolv
 		});
 	} else {
 		const userkeyDoc = await Userkey.findOne({
-			key: token
+			hash: token
 		});

 		if (userkeyDoc === null) {
--- a/src/api/endpoints/auth/accept.js
+++ b/src/api/endpoints/auth/accept.js
@ -4,6 +4,8 @@
 * Module dependencies
 */
 import rndstr from 'rndstr';
+const crypto = require('crypto');
+import App from '../../models/app';
 import AuthSess from '../../models/auth-session';
 import Userkey from '../../models/userkey';

@ -41,12 +43,23 @@ module.exports = (params, user) =>
 	});

 	if (exist === null) {
+		// Lookup app
+		const app = await App.findOne({
+			app_id: session.app_id
+		});
+
+		// Generate Hash
+		const sha512 = crypto.createHash('sha512');
+		sha512.update(key + app.secret);
+		const hash = sha512.digest('hex');
+
 		// Insert userkey doc
 		await Userkey.insert({
 			created_at: new Date(),
 			app_id: session.app_id,
 			user_id: user._id,
-			key: key
+			key: key,
+			hash: hash
 		});
 	}

--- a/src/api/streaming.ts
+++ b/src/api/streaming.ts
@ -64,7 +64,7 @@ function authenticate(connection: websocket.connection, token: string): Promise<
 			resolve(user);
 		} else {
 			const userkey = await Userkey.findOne({
-				key: token
+				hash: token
 			});

 			if (userkey == null) {