diff --git a/.gitignore b/.gitignore index 8ab4304a6..6ddfc64b9 100644 --- a/.gitignore +++ b/.gitignore @@ -8,15 +8,14 @@ pom.xml .lein-plugins/ .repl .nrepl-port +.cpcache +.rebel_readline_history +/vendor/**/target node_modules -/backend/.cpcache /backend/target/ /backend/resources/public/media /backend/dist/ /backend/- -/backend/.rebel_readline_history -/frontend/.rebel_readline_history -/frontend/.cpcache /frontend/npm-debug.log /frontend/target/ /frontend/dist/ diff --git a/backend/deps.edn b/backend/deps.edn index 656ce16d2..99327c313 100644 --- a/backend/deps.edn +++ b/backend/deps.edn @@ -34,15 +34,15 @@ hiccup/hiccup {:mvn/version "1.0.5"} org.im4java/im4java {:mvn/version "1.4.0"} - buddy/buddy-sign {:mvn/version "3.1.0"} - buddy/buddy-hashers {:mvn/version "1.4.0"} - org.xerial.snappy/snappy-java {:mvn/version "1.1.7.3"} com.github.spullara.mustache.java/compiler {:mvn/version "0.9.6"} commons-io/commons-io {:mvn/version "2.6"} com.draines/postal {:mvn/version "2.0.3" :exclusions [commons-codec/commons-codec]} + funcool/sodi {:local/root "vendor/sodi" + :deps/manifest :pom} + ;; exception printing io.aviso/pretty {:mvn/version "0.1.37"} diff --git a/backend/src/uxbox/config.clj b/backend/src/uxbox/config.clj index 803b61261..c7466fa70 100644 --- a/backend/src/uxbox/config.clj +++ b/backend/src/uxbox/config.clj @@ -2,16 +2,16 @@ ;; License, v. 2.0. If a copy of the MPL was not distributed with this ;; file, You can obtain one at http://mozilla.org/MPL/2.0/. ;; -;; Copyright (c) 2017 Andrey Antukh +;; This Source Code Form is "Incompatible With Secondary Licenses", as +;; defined by the Mozilla Public License, v. 2.0. +;; +;; Copyright (c) 2017-2020 Andrey Antukh (ns uxbox.config "A configuration management." (:require - [clojure.java.io :as io] [clojure.tools.logging :as log] - [clojure.edn :as edn] [cuerdas.core :as str] - [buddy.core.hash :as hash] [environ.core :refer [env]] [mount.core :refer [defstate]] [uxbox.common.exceptions :as ex])) @@ -74,14 +74,14 @@ ;; --- Secret Loading & Parsing -(defn- initialize-secret - [config] - (let [secret (:secret config)] - (when-not secret - (ex/raise :code ::missing-secret-key - :message "Missing `:secret` key in config.")) - (hash/blake2b-256 secret))) - -(defstate secret - :start (initialize-secret config)) +;; (defn- initialize-secret +;; [config] +;; (let [secret (:secret config)] +;; (when-not secret +;; (ex/raise :code ::missing-secret-key +;; :message "Missing `:secret` key in config.")) +;; (hash/blake2b-256 secret))) +;; +;; (defstate secret +;; :start (initialize-secret config)) diff --git a/backend/src/uxbox/fixtures.clj b/backend/src/uxbox/fixtures.clj index d411968db..86a8e6fb6 100644 --- a/backend/src/uxbox/fixtures.clj +++ b/backend/src/uxbox/fixtures.clj @@ -8,7 +8,7 @@ "A initial fixtures." (:require [clojure.tools.logging :as log] - [buddy.hashers :as hashers] + [sodi.pwhash :as pwhash] [mount.core :as mount] [promesa.core :as p] [uxbox.config :as cfg] @@ -30,7 +30,7 @@ values ($1, $2, $3, $4, $5, $6) returning *;") -(def password (hashers/encrypt "123123")) +(def password (pwhash/derive "123123")) (defn create-user [conn user-index] @@ -185,7 +185,6 @@ [& args] (try (-> (mount/only #{#'uxbox.config/config - #'uxbox.config/secret #'uxbox.core/system #'uxbox.db/pool #'uxbox.migrations/migrations}) diff --git a/backend/src/uxbox/http.clj b/backend/src/uxbox/http.clj index ac80b9cdb..288c5cea7 100644 --- a/backend/src/uxbox/http.clj +++ b/backend/src/uxbox/http.clj @@ -46,6 +46,7 @@ routes [["/sub/:file-id" {:interceptors [(vxi/cookies) (vxi/cors cors-opts) + interceptors/format-response-body (session/auth)] :get ws/handler}] diff --git a/backend/src/uxbox/services/mutations/auth.clj b/backend/src/uxbox/services/mutations/auth.clj index 9011dfc01..d88af4c73 100644 --- a/backend/src/uxbox/services/mutations/auth.clj +++ b/backend/src/uxbox/services/mutations/auth.clj @@ -7,7 +7,7 @@ (ns uxbox.services.mutations.auth (:require [clojure.spec.alpha :as s] - [buddy.hashers :as hashers] + [sodi.pwhash :as pwhash] [promesa.core :as p] [uxbox.config :as cfg] [uxbox.common.exceptions :as ex] @@ -32,7 +32,8 @@ (sm/defmutation ::login [{:keys [username password scope] :as params}] (letfn [(check-password [user password] - (hashers/check password (:password user))) + (let [result (pwhash/verify password (:password user))] + (:valid result))) (check-user [user] (when-not user diff --git a/backend/src/uxbox/services/mutations/users.clj b/backend/src/uxbox/services/mutations/users.clj index 95314f808..3156e29a6 100644 --- a/backend/src/uxbox/services/mutations/users.clj +++ b/backend/src/uxbox/services/mutations/users.clj @@ -6,7 +6,7 @@ (ns uxbox.services.mutations.users (:require - [buddy.hashers :as hashers] + [sodi.pwhash :as pwhash] [clojure.spec.alpha :as s] [datoteka.core :as fs] [datoteka.storages :as ds] @@ -26,7 +26,6 @@ strip-private-attrs resolve-thumbnail]] [uxbox.util.blob :as blob] - [uxbox.util.token :as token] [uxbox.util.uuid :as uuid] [vertx.core :as vc])) @@ -94,11 +93,12 @@ (defn- validate-password [conn {:keys [user old-password] :as params}] - (p/let [profile (get-profile conn user)] - (when-not (hashers/check old-password (:password profile)) + (p/let [profile (get-profile conn user) + result (pwhash/verify old-password (:password profile))] + (when-not (:valid result) (ex/raise :type :validation :code ::old-password-not-match)) - params)) + params)) (defn update-password [conn {:keys [user password]}] @@ -194,7 +194,7 @@ [conn {:keys [id username fullname email password metadata] :as params}] (let [id (or id (uuid/next)) metadata (blob/encode metadata) - password (hashers/encrypt password) + password (pwhash/derive password) sqlv [create-user-sql id fullname diff --git a/backend/src/uxbox/util/token.clj b/backend/src/uxbox/util/token.clj deleted file mode 100644 index 605c9af1f..000000000 --- a/backend/src/uxbox/util/token.clj +++ /dev/null @@ -1,24 +0,0 @@ -;; This Source Code Form is subject to the terms of the Mozilla Public -;; License, v. 2.0. If a copy of the MPL was not distributed with this -;; file, You can obtain one at http://mozilla.org/MPL/2.0/. -;; -;; Copyright (c) 2016 Andrey Antukh - -(ns uxbox.util.token - "Facilities for generate random tokens." - (:require [buddy.core.nonce :as nonce] - [buddy.core.hash :as hash] - [buddy.core.codecs :as codecs] - [buddy.core.codecs.base64 :as b64])) - -(defn random - "Returns a 32 bytes randomly generated token - with 1024 random seed. The output is encoded - using urlsafe variant of base64." - [] - (-> (nonce/random-bytes 1024) - (hash/blake2b-256) - (b64/encode true) - (codecs/bytes->str))) - - diff --git a/backend/src/vertx/http.clj b/backend/src/vertx/http.clj index da6a27640..1f29efb6f 100644 --- a/backend/src/vertx/http.clj +++ b/backend/src/vertx/http.clj @@ -129,10 +129,6 @@ (assign-status-and-headers! res data) (-handle-body body res))) - ;; ServerWebSocket - ;; (-handle-response [sws ctx] - ;; (.accept ^ServerWebSocket sws)) - nil (-handle-response [sws ctx])) @@ -140,7 +136,6 @@ (Class/forName "[B") (-handle-body [data res] (.end ^HttpServerResponse res (Buffer/buffer data))) - Buffer (-handle-body [data res] (.end ^HttpServerResponse res ^Buffer data))