"Crypto.createHmac" wrong usage #535
Comments
nmcharlton
added
type: bug
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
nmcharlton
added
type: bug
Explaination:
One should not use "Crypto.createHmac" to generate an HASH + SALT.
Normally, HMAC is used when you send a message to someone and you want to create an HASH of this message for the integrity and also for the authentication with the preshared key provided.
This is means that the receiver will be able to verify that you sent this message because you share the key with her/him.
For exemple, HMAC is used with JW Token with the HS256 algorithm, it is the same principle.
Risk:
None.
Where is the issue?
src/js/auth.js
How to fix/Recommendation:
I recommend to use Argon2 if you want to create an HASH + SALT:
https://www.npmjs.com/package/argon2
"Crypto.createHmac('sha512', salt)" ---> "await argon2.hash("password")"
"helper.sha512(password, user_entity.salt) and user_entity.passwordHash === hash" ---> "await argon2.verify("big long hash", "password")"
You will need to remove the SALT column inside the admin_user table because Argon2 creates a long string with everything inside (SALT auto generated) such as:
$argon2i$v=19$m=16,t=2,p=1$MmpqN29ta0JZRHM2TVZFQw$BgdsmoSo6kJfNbfEew71uw
The text was updated successfully, but these errors were encountered: