0
Fork 0
mirror of https://github.com/penpot/penpot.git synced 2025-01-22 14:39:45 -05:00

Replace buddy-hashers with sodi.pwhash.

This commit is contained in:
Andrey Antukh 2020-01-12 19:00:18 +00:00
parent 19529408f4
commit 6a99345475
9 changed files with 32 additions and 61 deletions

7
.gitignore vendored
View file

@ -8,15 +8,14 @@ pom.xml
.lein-plugins/
.repl
.nrepl-port
.cpcache
.rebel_readline_history
/vendor/**/target
node_modules
/backend/.cpcache
/backend/target/
/backend/resources/public/media
/backend/dist/
/backend/-
/backend/.rebel_readline_history
/frontend/.rebel_readline_history
/frontend/.cpcache
/frontend/npm-debug.log
/frontend/target/
/frontend/dist/

View file

@ -34,15 +34,15 @@
hiccup/hiccup {:mvn/version "1.0.5"}
org.im4java/im4java {:mvn/version "1.4.0"}
buddy/buddy-sign {:mvn/version "3.1.0"}
buddy/buddy-hashers {:mvn/version "1.4.0"}
org.xerial.snappy/snappy-java {:mvn/version "1.1.7.3"}
com.github.spullara.mustache.java/compiler {:mvn/version "0.9.6"}
commons-io/commons-io {:mvn/version "2.6"}
com.draines/postal {:mvn/version "2.0.3"
:exclusions [commons-codec/commons-codec]}
funcool/sodi {:local/root "vendor/sodi"
:deps/manifest :pom}
;; exception printing
io.aviso/pretty {:mvn/version "0.1.37"}

View file

@ -2,16 +2,16 @@
;; License, v. 2.0. If a copy of the MPL was not distributed with this
;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;;
;; Copyright (c) 2017 Andrey Antukh <niwi@niwi.nz>
;; This Source Code Form is "Incompatible With Secondary Licenses", as
;; defined by the Mozilla Public License, v. 2.0.
;;
;; Copyright (c) 2017-2020 Andrey Antukh <niwi@niwi.nz>
(ns uxbox.config
"A configuration management."
(:require
[clojure.java.io :as io]
[clojure.tools.logging :as log]
[clojure.edn :as edn]
[cuerdas.core :as str]
[buddy.core.hash :as hash]
[environ.core :refer [env]]
[mount.core :refer [defstate]]
[uxbox.common.exceptions :as ex]))
@ -74,14 +74,14 @@
;; --- Secret Loading & Parsing
(defn- initialize-secret
[config]
(let [secret (:secret config)]
(when-not secret
(ex/raise :code ::missing-secret-key
:message "Missing `:secret` key in config."))
(hash/blake2b-256 secret)))
(defstate secret
:start (initialize-secret config))
;; (defn- initialize-secret
;; [config]
;; (let [secret (:secret config)]
;; (when-not secret
;; (ex/raise :code ::missing-secret-key
;; :message "Missing `:secret` key in config."))
;; (hash/blake2b-256 secret)))
;;
;; (defstate secret
;; :start (initialize-secret config))

View file

@ -8,7 +8,7 @@
"A initial fixtures."
(:require
[clojure.tools.logging :as log]
[buddy.hashers :as hashers]
[sodi.pwhash :as pwhash]
[mount.core :as mount]
[promesa.core :as p]
[uxbox.config :as cfg]
@ -30,7 +30,7 @@
values ($1, $2, $3, $4, $5, $6)
returning *;")
(def password (hashers/encrypt "123123"))
(def password (pwhash/derive "123123"))
(defn create-user
[conn user-index]
@ -185,7 +185,6 @@
[& args]
(try
(-> (mount/only #{#'uxbox.config/config
#'uxbox.config/secret
#'uxbox.core/system
#'uxbox.db/pool
#'uxbox.migrations/migrations})

View file

@ -46,6 +46,7 @@
routes [["/sub/:file-id" {:interceptors [(vxi/cookies)
(vxi/cors cors-opts)
interceptors/format-response-body
(session/auth)]
:get ws/handler}]

View file

@ -7,7 +7,7 @@
(ns uxbox.services.mutations.auth
(:require
[clojure.spec.alpha :as s]
[buddy.hashers :as hashers]
[sodi.pwhash :as pwhash]
[promesa.core :as p]
[uxbox.config :as cfg]
[uxbox.common.exceptions :as ex]
@ -32,7 +32,8 @@
(sm/defmutation ::login
[{:keys [username password scope] :as params}]
(letfn [(check-password [user password]
(hashers/check password (:password user)))
(let [result (pwhash/verify password (:password user))]
(:valid result)))
(check-user [user]
(when-not user

View file

@ -6,7 +6,7 @@
(ns uxbox.services.mutations.users
(:require
[buddy.hashers :as hashers]
[sodi.pwhash :as pwhash]
[clojure.spec.alpha :as s]
[datoteka.core :as fs]
[datoteka.storages :as ds]
@ -26,7 +26,6 @@
strip-private-attrs
resolve-thumbnail]]
[uxbox.util.blob :as blob]
[uxbox.util.token :as token]
[uxbox.util.uuid :as uuid]
[vertx.core :as vc]))
@ -94,11 +93,12 @@
(defn- validate-password
[conn {:keys [user old-password] :as params}]
(p/let [profile (get-profile conn user)]
(when-not (hashers/check old-password (:password profile))
(p/let [profile (get-profile conn user)
result (pwhash/verify old-password (:password profile))]
(when-not (:valid result)
(ex/raise :type :validation
:code ::old-password-not-match))
params))
params))
(defn update-password
[conn {:keys [user password]}]
@ -194,7 +194,7 @@
[conn {:keys [id username fullname email password metadata] :as params}]
(let [id (or id (uuid/next))
metadata (blob/encode metadata)
password (hashers/encrypt password)
password (pwhash/derive password)
sqlv [create-user-sql
id
fullname

View file

@ -1,24 +0,0 @@
;; This Source Code Form is subject to the terms of the Mozilla Public
;; License, v. 2.0. If a copy of the MPL was not distributed with this
;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;;
;; Copyright (c) 2016 Andrey Antukh <niwi@niwi.nz>
(ns uxbox.util.token
"Facilities for generate random tokens."
(:require [buddy.core.nonce :as nonce]
[buddy.core.hash :as hash]
[buddy.core.codecs :as codecs]
[buddy.core.codecs.base64 :as b64]))
(defn random
"Returns a 32 bytes randomly generated token
with 1024 random seed. The output is encoded
using urlsafe variant of base64."
[]
(-> (nonce/random-bytes 1024)
(hash/blake2b-256)
(b64/encode true)
(codecs/bytes->str)))

View file

@ -129,10 +129,6 @@
(assign-status-and-headers! res data)
(-handle-body body res)))
;; ServerWebSocket
;; (-handle-response [sws ctx]
;; (.accept ^ServerWebSocket sws))
nil
(-handle-response [sws ctx]))
@ -140,7 +136,6 @@
(Class/forName "[B")
(-handle-body [data res]
(.end ^HttpServerResponse res (Buffer/buffer data)))
Buffer
(-handle-body [data res]
(.end ^HttpServerResponse res ^Buffer data))