From 1fb4cf31064d4fcc8a10918dcfac916fb8777f20 Mon Sep 17 00:00:00 2001
From: "Umang G. Patel" <23169768+robonetphy@users.noreply.github.com>
Date: Thu, 21 Apr 2022 23:53:02 +0530
Subject: [PATCH] raw password comparison added

---
 src/backend/routes/auth.ts              | 44 ++++++++++++-------------
 src/backend/routes/middlewares/token.ts |  4 +--
 2 files changed, 23 insertions(+), 25 deletions(-)

diff --git a/src/backend/routes/auth.ts b/src/backend/routes/auth.ts
index 0f0065e..4968fcd 100644
--- a/src/backend/routes/auth.ts
+++ b/src/backend/routes/auth.ts
@@ -28,9 +28,9 @@ router.get('/auth', csrfProtection, function (req: Request, res: Response) {
 router.post('/auth', parseForm, csrfProtection, async (req: Request, res: Response) => {
   try {
     const userDoc = await Users.get();
-    const passHash = userDoc.passHash;
+    const password = userDoc.password;
 
-    if (!passHash) {
+    if (!password) {
       res.render('auth', {
         title: 'Login page',
         header: 'Password not set',
@@ -40,30 +40,28 @@ router.post('/auth', parseForm, csrfProtection, async (req: Request, res: Respon
       return;
     }
 
-    bcrypt.compare(req.body.password, passHash, async (err, result) => {
-      if (err || result === false) {
-        res.render('auth', {
-          title: 'Login page',
-          header: 'Wrong password',
-          csrfToken: req.csrfToken(),
-        });
-
-        return;
-      }
-
-      const token = jwt.sign({
-        iss: 'Codex Team',
-        sub: 'auth',
-        iat: Date.now(),
-      }, passHash + config.get('secret'));
-
-      res.cookie('authToken', token, {
-        httpOnly: true,
-        expires: new Date(Date.now() + 365 * 24 * 60 * 60 * 1000), // 1 year
+    if (req.body.password !== password) {
+      res.render('auth', {
+        title: 'Login page',
+        header: 'Wrong password',
+        csrfToken: req.csrfToken(),
       });
 
-      res.redirect('/');
+      return;
+    }
+
+    const token = jwt.sign({
+      iss: 'Codex Team',
+      sub: 'auth',
+      iat: Date.now(),
+    }, password + config.get('secret'));
+
+    res.cookie('authToken', token, {
+      httpOnly: true,
+      expires: new Date(Date.now() + 365 * 24 * 60 * 60 * 1000), // 1 year
     });
+
+    res.redirect('/');
   } catch (err) {
     res.render('auth', {
       title: 'Login page',
diff --git a/src/backend/routes/middlewares/token.ts b/src/backend/routes/middlewares/token.ts
index 2289be1..25dec95 100644
--- a/src/backend/routes/middlewares/token.ts
+++ b/src/backend/routes/middlewares/token.ts
@@ -19,14 +19,14 @@ export default async function verifyToken(req: Request, res: Response, next: Nex
   try {
     const userDoc = await Users.get();
 
-    if (!userDoc.passHash) {
+    if (!userDoc.password) {
       res.locals.isAuthorized = false;
       next();
 
       return;
     }
 
-    const decodedToken = jwt.verify(token, userDoc.passHash + config.get('secret'));
+    const decodedToken = jwt.verify(token, userDoc.password + config.get('secret'));
 
     res.locals.isAuthorized = !!decodedToken;