Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| // Inspired from: https://github.com/nextauthjs/next-auth/blob/c4ad77b86762b7fd2e6362d8bf26c5953846774a/packages/next-auth/src/core/lib/utils.ts#L16 | ||
| export function hashCode(code: number) { | ||
| return createHash("sha256") | ||
| .update(`${code}${process.env.AUTH_SECRET}`) |
Check failure
Code scanning / CodeQL
Use of password hash with insufficient computational effort High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the problem, we should replace the use of crypto.createHash('sha256') with a proper password hashing function, such as bcrypt. This means importing the bcrypt library, and using bcrypt.hashSync (or its async variant if desired) to hash the passcode along with a unique salt.
The hashCode function in apps/web/lib/utils.ts should be changed to use bcrypt.hashSync, using a salt value that is sufficiently high (e.g., 10 rounds). Since only the static six-digit passcode (plus the secret) is currently hashed, the resulting code will now use bcrypt's built-in salting and iteration functionality. Any usage of hashCode (called on line 33 in apps/web/app/api/auth/code/generate/route.ts) will now use the improved hashing scheme, but no further changes are needed to the rest of this code.
We need to:
- Import the
bcryptlibrary at the top ofapps/web/lib/utils.ts. - Update
hashCodeto usebcrypt.hashSyncinstead ofcrypto.createHash. - Optionally, update any relevant tests or usages, but none are present in the shown snippet.
| @@ -1,5 +1,6 @@ | ||
| import { UIConstants } from "@courselit/common-models"; | ||
| import { createHash, randomInt } from "crypto"; | ||
| import { randomInt } from "crypto"; | ||
| import bcrypt from "bcrypt"; | ||
|
|
||
| export const capitalize = (s: string) => { | ||
| if (typeof s !== "string") return ""; | ||
| @@ -69,7 +70,7 @@ | ||
|
|
||
| // Inspired from: https://github.com/nextauthjs/next-auth/blob/c4ad77b86762b7fd2e6362d8bf26c5953846774a/packages/next-auth/src/core/lib/utils.ts#L16 | ||
| export function hashCode(code: number) { | ||
| return createHash("sha256") | ||
| .update(`${code}${process.env.AUTH_SECRET}`) | ||
| .digest("hex"); | ||
| const saltRounds = 10; | ||
| const toHash = `${code}${process.env.AUTH_SECRET}`; | ||
| return bcrypt.hashSync(toHash, saltRounds); | ||
| } |
| @@ -77,7 +77,8 @@ | ||
| "stripe": "^17.5.0", | ||
| "tailwind-merge": "^2.5.4", | ||
| "tailwindcss-animate": "^1.0.7", | ||
| "zod": "^3.24.1" | ||
| "zod": "^3.24.1", | ||
| "bcrypt": "^6.0.0" | ||
| }, | ||
| "devDependencies": { | ||
| "@shelf/jest-mongodb": "^5.2.2", |
| Package | Version | Security advisories |
| bcrypt (npm) | 6.0.0 | None |
2 participants
No description provided.