✨ Replace buddy-hashers with sodi.pwhash.

2025-01-06 14:50:20 -05:00 · 2020-01-12 19:00:18 +00:00 · 2020-01-12 19:00:18 +00:00 · 6a99345475
commit 6a99345475
parent 19529408f4
9 changed files with 32 additions and 61 deletions
--- a/.gitignore
+++ b/.gitignore
@ -8,15 +8,14 @@ pom.xml
 .lein-plugins/
 .repl
 .nrepl-port
+.cpcache
+.rebel_readline_history
+/vendor/**/target
 node_modules
-/backend/.cpcache
 /backend/target/
 /backend/resources/public/media
 /backend/dist/
 /backend/-
-/backend/.rebel_readline_history
-/frontend/.rebel_readline_history
-/frontend/.cpcache
 /frontend/npm-debug.log
 /frontend/target/
 /frontend/dist/
--- a/backend/deps.edn
+++ b/backend/deps.edn
@ -34,15 +34,15 @@
  hiccup/hiccup {:mvn/version "1.0.5"}
  org.im4java/im4java {:mvn/version "1.4.0"}

-  buddy/buddy-sign {:mvn/version "3.1.0"}
-  buddy/buddy-hashers {:mvn/version "1.4.0"}
-
  org.xerial.snappy/snappy-java {:mvn/version "1.1.7.3"}
  com.github.spullara.mustache.java/compiler {:mvn/version "0.9.6"}
  commons-io/commons-io {:mvn/version "2.6"}
  com.draines/postal {:mvn/version "2.0.3"
                      :exclusions [commons-codec/commons-codec]}

+  funcool/sodi {:local/root "vendor/sodi"
+                :deps/manifest :pom}
+
  ;; exception printing
  io.aviso/pretty {:mvn/version "0.1.37"}

--- a/backend/src/uxbox/config.clj
+++ b/backend/src/uxbox/config.clj
@ -2,16 +2,16 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; Copyright (c) 2017 Andrey Antukh <niwi@niwi.nz>
+;; This Source Code Form is "Incompatible With Secondary Licenses", as
+;; defined by the Mozilla Public License, v. 2.0.
+;;
+;; Copyright (c) 2017-2020 Andrey Antukh <niwi@niwi.nz>

 (ns uxbox.config
  "A configuration management."
  (:require
-   [clojure.java.io :as io]
   [clojure.tools.logging :as log]
-   [clojure.edn :as edn]
   [cuerdas.core :as str]
-   [buddy.core.hash :as hash]
   [environ.core :refer [env]]
   [mount.core :refer [defstate]]
   [uxbox.common.exceptions :as ex]))
@ -74,14 +74,14 @@

 ;; --- Secret Loading & Parsing

-(defn- initialize-secret
-  [config]
-  (let [secret (:secret config)]
-    (when-not secret
-      (ex/raise :code ::missing-secret-key
-                :message "Missing `:secret` key in config."))
-    (hash/blake2b-256 secret)))
-
-(defstate secret
-  :start (initialize-secret config))
+;; (defn- initialize-secret
+;;   [config]
+;;   (let [secret (:secret config)]
+;;     (when-not secret
+;;       (ex/raise :code ::missing-secret-key
+;;                 :message "Missing `:secret` key in config."))
+;;     (hash/blake2b-256 secret)))
+;;
+;; (defstate secret
+;;   :start (initialize-secret config))

--- a/backend/src/uxbox/fixtures.clj
+++ b/backend/src/uxbox/fixtures.clj
@ -8,7 +8,7 @@
  "A initial fixtures."
  (:require
   [clojure.tools.logging :as log]
-   [buddy.hashers :as hashers]
+   [sodi.pwhash :as pwhash]
   [mount.core :as mount]
   [promesa.core :as p]
   [uxbox.config :as cfg]
@ -30,7 +30,7 @@
   values ($1, $2, $3, $4, $5, $6)
   returning *;")

-(def password (hashers/encrypt "123123"))
+(def password (pwhash/derive "123123"))

 (defn create-user
  [conn user-index]
@ -185,7 +185,6 @@
  [& args]
  (try
    (-> (mount/only #{#'uxbox.config/config
-                      #'uxbox.config/secret
                      #'uxbox.core/system
                      #'uxbox.db/pool
                      #'uxbox.migrations/migrations})
--- a/backend/src/uxbox/http.clj
+++ b/backend/src/uxbox/http.clj
@ -46,6 +46,7 @@

        routes [["/sub/:file-id" {:interceptors [(vxi/cookies)
                                                 (vxi/cors cors-opts)
+                                                 interceptors/format-response-body
                                                 (session/auth)]
                                  :get ws/handler}]

--- a/backend/src/uxbox/services/mutations/auth.clj
+++ b/backend/src/uxbox/services/mutations/auth.clj
@ -7,7 +7,7 @@
 (ns uxbox.services.mutations.auth
  (:require
   [clojure.spec.alpha :as s]
-   [buddy.hashers :as hashers]
+   [sodi.pwhash :as pwhash]
   [promesa.core :as p]
   [uxbox.config :as cfg]
   [uxbox.common.exceptions :as ex]
@ -32,7 +32,8 @@
 (sm/defmutation ::login
  [{:keys [username password scope] :as params}]
  (letfn [(check-password [user password]
-            (hashers/check password (:password user)))
+            (let [result (pwhash/verify password (:password user))]
+              (:valid result)))

          (check-user [user]
            (when-not user
--- a/backend/src/uxbox/services/mutations/users.clj
+++ b/backend/src/uxbox/services/mutations/users.clj
@ -6,7 +6,7 @@

 (ns uxbox.services.mutations.users
  (:require
-   [buddy.hashers :as hashers]
+   [sodi.pwhash :as pwhash]
   [clojure.spec.alpha :as s]
   [datoteka.core :as fs]
   [datoteka.storages :as ds]
@ -26,7 +26,6 @@
                                         strip-private-attrs
                                         resolve-thumbnail]]
   [uxbox.util.blob :as blob]
-   [uxbox.util.token :as token]
   [uxbox.util.uuid :as uuid]
   [vertx.core :as vc]))

@ -94,11 +93,12 @@

 (defn- validate-password
  [conn {:keys [user old-password] :as params}]
-  (p/let [profile (get-profile conn user)]
-    (when-not (hashers/check old-password (:password profile))
+  (p/let [profile (get-profile conn user)
+          result (pwhash/verify old-password (:password profile))]
+    (when-not (:valid result)
      (ex/raise :type :validation
                :code ::old-password-not-match))
-   params))
+    params))

 (defn update-password
  [conn {:keys [user password]}]
@ -194,7 +194,7 @@
  [conn {:keys [id username fullname email password metadata] :as params}]
  (let [id (or id (uuid/next))
        metadata (blob/encode metadata)
-        password (hashers/encrypt password)
+        password (pwhash/derive password)
        sqlv [create-user-sql
              id
              fullname
--- a/backend/src/uxbox/util/token.clj
+++ b/backend/src/uxbox/util/token.clj
@ -1,24 +0,0 @@
-;; This Source Code Form is subject to the terms of the Mozilla Public
-;; License, v. 2.0. If a copy of the MPL was not distributed with this
-;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;;
-;; Copyright (c) 2016 Andrey Antukh <niwi@niwi.nz>
-
-(ns uxbox.util.token
-  "Facilities for generate random tokens."
-  (:require [buddy.core.nonce :as nonce]
-            [buddy.core.hash :as hash]
-            [buddy.core.codecs :as codecs]
-            [buddy.core.codecs.base64 :as b64]))
-
-(defn random
-  "Returns a 32 bytes randomly generated token
-  with 1024 random seed. The output is encoded
-  using urlsafe variant of base64."
-  []
-  (-> (nonce/random-bytes 1024)
-      (hash/blake2b-256)
-      (b64/encode true)
-      (codecs/bytes->str)))
-
-
--- a/backend/src/vertx/http.clj
+++ b/backend/src/vertx/http.clj
@ -129,10 +129,6 @@
      (assign-status-and-headers! res data)
      (-handle-body body res)))

-  ;; ServerWebSocket
-  ;; (-handle-response [sws ctx]
-  ;;   (.accept ^ServerWebSocket sws))
-
  nil
  (-handle-response [sws ctx]))

@ -140,7 +136,6 @@
  (Class/forName "[B")
  (-handle-body [data res]
    (.end ^HttpServerResponse res (Buffer/buffer data)))
-
  Buffer
  (-handle-body [data res]
    (.end ^HttpServerResponse res ^Buffer data))