verdaccio/packages/core/htpasswd/src/utils.ts

import crypto from 'crypto';

import md5 from 'apache-md5';
import bcrypt from 'bcryptjs';
import createError, { HttpError } from 'http-errors';
import { readFile } from '@verdaccio/file-locking';
import { Callback } from '@verdaccio/types';

import crypt3 from './crypt3';

// this function neither unlocks file nor closes it
// it'll have to be done manually later
export function lockAndRead(name: string, cb: Callback): void {
  readFile(name, { lock: true }, (err, res) => {
    if (err) {
      return cb(err);
    }

    return cb(null, res);
  });
}

/**
 * parseHTPasswd - convert htpasswd lines to object.
 * @param {string} input
 * @returns {object}
 */
export function parseHTPasswd(input: string): Record<string, any> {
  return input.split('\n').reduce((result, line) => {
    const args = line.split(':', 3);
    if (args.length > 1) {
      result[args[0]] = args[1];
    }
    return result;
  }, {});
}

/**
 * verifyPassword - matches password and it's hash.
 * @param {string} passwd
 * @param {string} hash
 * @returns {boolean}
 */
export function verifyPassword(passwd: string, hash: string): boolean {
  if (hash.match(/^\$2(a|b|y)\$/)) {
    return bcrypt.compareSync(passwd, hash);
  } else if (hash.indexOf('{PLAIN}') === 0) {
    return passwd === hash.substr(7);
  } else if (hash.indexOf('{SHA}') === 0) {
    return (
      crypto
        .createHash('sha1')
        // https://nodejs.org/api/crypto.html#crypto_hash_update_data_inputencoding
        .update(passwd, 'utf8')
        .digest('base64') === hash.substr(5)
    );
  }
  // for backwards compatibility, first check md5 then check crypt3
  return md5(passwd, hash) === hash || crypt3(passwd, hash) === hash;
}

/**
 * addUserToHTPasswd - Generate a htpasswd format for .htpasswd
 * @param {string} body
 * @param {string} user
 * @param {string} passwd
 * @returns {string}
 */
export function addUserToHTPasswd(body: string, user: string, passwd: string): string {
  if (user !== encodeURIComponent(user)) {
    const err = createError('username should not contain non-uri-safe characters');

    err.status = 409;
    throw err;
  }

  if (crypt3) {
    passwd = crypt3(passwd);
  } else {
    passwd = '{SHA}' + crypto.createHash('sha1').update(passwd, 'utf8').digest('base64');
  }
  const comment = 'autocreated ' + new Date().toJSON();
  let newline = `${user}:${passwd}:${comment}\n`;

  if (body.length && body[body.length - 1] !== '\n') {
    newline = '\n' + newline;
  }
  return body + newline;
}

/**
 * Sanity check for a user
 * @param {string} user
 * @param {object} users
 * @param {number} maxUsers
 * @returns {object}
 */
export function sanityCheck(user: string, password: string, verifyFn: Callback, users: {}, maxUsers: number): HttpError | null {
  let err;

  // check for user or password
  if (!user || !password) {
    err = Error('username and password is required');
    err.status = 400;
    return err;
  }

  const hash = users[user];

  if (maxUsers < 0) {
    err = Error('user registration disabled');
    err.status = 409;
    return err;
  }

  if (hash) {
    const auth = verifyFn(password, users[user]);
    if (auth) {
      err = Error('username is already registered');
      err.status = 409;
      return err;
    }
    err = Error('unauthorized access');
    err.status = 401;
    return err;
  } else if (Object.keys(users).length >= maxUsers) {
    err = Error('maximum amount of users reached');
    err.status = 403;
    return err;
  }

  return null;
}

export function getCryptoPassword(password: string): string {
  return `{SHA}${crypto.createHash('sha1').update(password, 'utf8').digest('base64')}`;
}

/**
 * changePasswordToHTPasswd - change password for existing user
 * @param {string} body
 * @param {string} user
 * @param {string} passwd
 * @param {string} newPasswd
 * @returns {string}
 */
export function changePasswordToHTPasswd(body: string, user: string, passwd: string, newPasswd: string): string {
  let lines = body.split('\n');
  lines = lines.map((line) => {
    const [username, password] = line.split(':', 3);

    if (username === user) {
      let _passwd;
      let _newPasswd;
      if (crypt3) {
        _passwd = crypt3(passwd, password);
        _newPasswd = crypt3(newPasswd);
      } else {
        _passwd = getCryptoPassword(passwd);
        _newPasswd = getCryptoPassword(newPasswd);
      }

      if (password == _passwd) {
        // replace old password hash with new password hash
        line = line.replace(_passwd, _newPasswd);
      } else {
        throw new Error('Invalid old Password');
      }
    }
    return line;
  });

  return lines.join('\n');
}
feat: relocate core packages (#1906) * chore: clean lint warnings * refactor: move core packages 2020-08-19 20:27:35 +02:00			`import crypto from 'crypto';`

			`import md5 from 'apache-md5';`
			`import bcrypt from 'bcryptjs';`
			`import createError, { HttpError } from 'http-errors';`
			`import { readFile } from '@verdaccio/file-locking';`
			`import { Callback } from '@verdaccio/types';`

			`import crypt3 from './crypt3';`

			`// this function neither unlocks file nor closes it`
			`// it'll have to be done manually later`
			`export function lockAndRead(name: string, cb: Callback): void {`
			`readFile(name, { lock: true }, (err, res) => {`
			`if (err) {`
			`return cb(err);`
			`}`

			`return cb(null, res);`
			`});`
			`}`

			`/**`
			`* parseHTPasswd - convert htpasswd lines to object.`
			`* @param {string} input`
			`* @returns {object}`
			`*/`
			`export function parseHTPasswd(input: string): Record<string, any> {`
			`return input.split('\n').reduce((result, line) => {`
			`const args = line.split(':', 3);`
			`if (args.length > 1) {`
			`result[args[0]] = args[1];`
			`}`
			`return result;`
			`}, {});`
			`}`

			`/**`
			`* verifyPassword - matches password and it's hash.`
			`* @param {string} passwd`
			`* @param {string} hash`
			`* @returns {boolean}`
			`*/`
			`export function verifyPassword(passwd: string, hash: string): boolean {`
			`if (hash.match(/^\$2(a\|b\|y)\$/)) {`
			`return bcrypt.compareSync(passwd, hash);`
			`} else if (hash.indexOf('{PLAIN}') === 0) {`
			`return passwd === hash.substr(7);`
			`} else if (hash.indexOf('{SHA}') === 0) {`
			`return (`
			`crypto`
			`.createHash('sha1')`
			`// https://nodejs.org/api/crypto.html#crypto_hash_update_data_inputencoding`
			`.update(passwd, 'utf8')`
			`.digest('base64') === hash.substr(5)`
			`);`
			`}`
			`// for backwards compatibility, first check md5 then check crypt3`
			`return md5(passwd, hash) === hash \|\| crypt3(passwd, hash) === hash;`
			`}`

			`/**`
			`* addUserToHTPasswd - Generate a htpasswd format for .htpasswd`
			`* @param {string} body`
			`* @param {string} user`
			`* @param {string} passwd`
			`* @returns {string}`
			`*/`
			`export function addUserToHTPasswd(body: string, user: string, passwd: string): string {`
			`if (user !== encodeURIComponent(user)) {`
			`const err = createError('username should not contain non-uri-safe characters');`

			`err.status = 409;`
			`throw err;`
			`}`

			`if (crypt3) {`
			`passwd = crypt3(passwd);`
			`} else {`
			`passwd = '{SHA}' + crypto.createHash('sha1').update(passwd, 'utf8').digest('base64');`
			`}`
			`const comment = 'autocreated ' + new Date().toJSON();`
			let newline = `${user}:${passwd}:${comment}\n`;

			`if (body.length && body[body.length - 1] !== '\n') {`
			`newline = '\n' + newline;`
			`}`
			`return body + newline;`
			`}`

			`/**`
			`* Sanity check for a user`
			`* @param {string} user`
			`* @param {object} users`
			`* @param {number} maxUsers`
			`* @returns {object}`
			`*/`
			`export function sanityCheck(user: string, password: string, verifyFn: Callback, users: {}, maxUsers: number): HttpError \| null {`
			`let err;`

			`// check for user or password`
			`if (!user \|\| !password) {`
			`err = Error('username and password is required');`
			`err.status = 400;`
			`return err;`
			`}`

			`const hash = users[user];`

			`if (maxUsers < 0) {`
			`err = Error('user registration disabled');`
			`err.status = 409;`
			`return err;`
			`}`

			`if (hash) {`
			`const auth = verifyFn(password, users[user]);`
			`if (auth) {`
			`err = Error('username is already registered');`
			`err.status = 409;`
			`return err;`
			`}`
			`err = Error('unauthorized access');`
			`err.status = 401;`
			`return err;`
			`} else if (Object.keys(users).length >= maxUsers) {`
			`err = Error('maximum amount of users reached');`
			`err.status = 403;`
			`return err;`
			`}`

			`return null;`
			`}`

			`export function getCryptoPassword(password: string): string {`
			return `{SHA}${crypto.createHash('sha1').update(password, 'utf8').digest('base64')}`;
			`}`

			`/**`
			`* changePasswordToHTPasswd - change password for existing user`
			`* @param {string} body`
			`* @param {string} user`
			`* @param {string} passwd`
			`* @param {string} newPasswd`
			`* @returns {string}`
			`*/`
			`export function changePasswordToHTPasswd(body: string, user: string, passwd: string, newPasswd: string): string {`
			`let lines = body.split('\n');`
			`lines = lines.map((line) => {`
			`const [username, password] = line.split(':', 3);`

			`if (username === user) {`
			`let _passwd;`
			`let _newPasswd;`
			`if (crypt3) {`
			`_passwd = crypt3(passwd, password);`
			`_newPasswd = crypt3(newPasswd);`
			`} else {`
			`_passwd = getCryptoPassword(passwd);`
			`_newPasswd = getCryptoPassword(newPasswd);`
			`}`

			`if (password == _passwd) {`
			`// replace old password hash with new password hash`
			`line = line.replace(_passwd, _newPasswd);`
			`} else {`
			`throw new Error('Invalid old Password');`
			`}`
			`}`
			`return line;`
			`});`

			`return lines.join('\n');`
			`}`