xivdev/XIVPlan-DB
1
0
Fork 0
Code Issues Wiki Activity

change pin to hash, use bcrypt for some sense of sensible security on passwords

Browse Source
This commit is contained in:
Ean Milligan
2026-04-23 02:39:50 -04:00
parent c6eab65f1d
commit 04074d19e5
4 changed files with 52 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
mod.ts
View File

@@ -1,3 +1,4 @@
import { hash, verify } from '@bcrypt';
import { customAlphabet } from '@nanoid';
import { STATUS_CODE, STATUS_TEXT, StatusCode } from '@std/http/status';
@@ -101,12 +102,13 @@ Deno.serve({ port: config.api.port }, async (req) => {
if (userNameMatches.length === 0) {
if (body.name.length < 4 || body.name.length > 20)
return genericResponse(STATUS_CODE.BadRequest, `Name too ${body.name.length < 4 ? 'short' : 'long'}.`);
if (body.pin.length < 4 || body.pin.length > 16) return genericResponse(STATUS_CODE.BadRequest, `PIN too ${body.pin.length < 4 ? 'short' : 'long'}.`);
if (body.pin.length < 4) return genericResponse(STATUS_CODE.BadRequest, `PIN too ${body.pin.length < 4 ? 'short' : 'long'}.`);
if (body.email.length > 255) return genericResponse(STATUS_CODE.BadRequest, 'Email too long.');
const id = nanoid();
const pinHash = await hash(body.pin);
await dbClient.execute('INSERT INTO users(id,name,pin,email) values(?,?,?,?)', [id, body.name, body.pin, body.email]).catch(() => {
await dbClient.execute('INSERT INTO users(id,name,hash,email) values(?,?,?,?)', [id, body.name, pinHash, body.email]).catch(() => {
failed = true;
});
@@ -121,11 +123,12 @@ Deno.serve({ port: config.api.port }, async (req) => {
} else {
const body = await req.json();
const loginMatch = await dbClient.query('SELECT id, email, deleteCode FROM users WHERE name = ? AND pin = ?', [body.name, body.pin]).catch(() => {
const loginMatch = await dbClient.query('SELECT id, hash, email, deleteCode FROM users WHERE name = ?', [body.name]).catch(() => {
failed = true;
});
if (failed) return genericResponse(STATUS_CODE.InternalServerError, "Couldn't read DB.");
if (loginMatch.length === 0) return genericResponse(STATUS_CODE.Forbidden, 'Invalid name/PIN combination.');
if (loginMatch.length === 0) return genericResponse(STATUS_CODE.Forbidden, 'Invalid name/PIN combination. Remember name is case sensitive.');
if (!(await verify(body.pin, loginMatch[0].hash))) return genericResponse(STATUS_CODE.Forbidden, 'Invalid name/PIN combination.');
const id = loginMatch[0].id;
const email = loginMatch[0].email;
const hasEmail = email.length > 0;