Move hashing to server side for api version 4

tobil4sk · Dec 13, 2023 · 18a6f79 · 18a6f79
1 parent 943bc68
commit 18a6f79
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 12 deletions.
diff --git a/src/haxelib/client/Main.hx b/src/haxelib/client/Main.hx
@@ -23,7 +23,6 @@ package haxelib.client;
 
 import haxe.display.Server.ConfigurePrintParams;
 import haxelib.VersionData.VersionDataHelper;
-import haxe.crypto.Md5;
 import haxe.iterators.ArrayIterator;
 
 import sys.FileSystem;
@@ -358,13 +357,12 @@ class Main {
 	function doRegister(name) {
 		final email = getArgument("Email");
 		final fullname = getArgument("Fullname");
-		final pass = getSecretArgument("Password");
-		final pass2 = getSecretArgument("Confirm");
-		if( pass != pass2 )
+		final password = getSecretArgument("Password");
+		final repeatedPassword = getSecretArgument("Confirm");
+		if (password != repeatedPassword )
 			throw "Password does not match";
-		final encodedPassword = Md5.encode(pass);
-		Connection.register(name, encodedPassword, email, fullname);
-		return encodedPassword;
+		Connection.register(name, password, email, fullname);
+		return password;
 	}
 
 	#if neko
@@ -400,13 +398,13 @@ class Main {
 	#end
 
 	function readPassword(user:String, prompt = "Password"):String {
-		var password = Md5.encode(getSecretArgument(prompt));
+		var password = getSecretArgument(prompt);
 		var attempts = 5;
 		while (!Connection.checkPassword(user, password)) {
 			Cli.print('Invalid password for $user');
 			if (--attempts == 0)
 				throw 'Failed to input correct password';
-			password = Md5.encode(getSecretArgument('$prompt ($attempts more attempt${attempts == 1 ? "" : "s"})'));
+			password = getSecretArgument('$prompt ($attempts more attempt${attempts == 1 ? "" : "s"})');
 		}
 		return password;
 	}

diff --git a/src/haxelib/server/Repo.hx b/src/haxelib/server/Repo.hx
@@ -25,6 +25,7 @@ import haxe.io.*;
 import sys.io.*;
 import sys.*;
 import sys.db.*;
+import haxe.crypto.Md5;
 
 import haxelib.Data;
 import haxelib.MetaData;
@@ -112,6 +113,7 @@ class Repo implements SiteApi {
 	}
 
 	public function register( name : String, pass : String, mail : String, fullname : String ) : Void {
+		var hashedPassword = #if (haxelib_api_version == "4.0") Md5.encode(pass) #else pass #end;
 		if( name.length < 3 )
 			throw "User name must be at least 3 characters";
 		if( !Data.alphanum.match(name) )
@@ -125,7 +127,7 @@ class Repo implements SiteApi {
 
 		var u = new User();
 		u.name = name;
-		u.pass = pass;
+		u.pass = hashedPassword;
 		u.email = mail;
 		u.fullname = fullname;
 		u.insert();
@@ -146,8 +148,9 @@ class Repo implements SiteApi {
 	}
 
 	public function checkPassword( user : String, pass : String ) : Bool {
+		var hashedPassword = #if (haxelib_api_version == "4.0") Md5.encode(pass) #else pass #end;
 		var u = User.manager.search({ name : user }).first();
-		return u != null && u.pass == pass;
+		return u != null && u.pass == hashedPassword;
 	}
 
 	public function getSubmitId() : String {
@@ -176,6 +179,7 @@ class Repo implements SiteApi {
 	}
 
 	public function processSubmit( id : String, user : String, pass : String ) : String {
+		var hashedPassword = #if (haxelib_api_version == "4.0") Md5.encode(pass) #else pass #end;
 		neko.Web.logMessage("processSubmit " + id);
 		var tmpFile = Path.join([TMP_DIR_NAME, Std.parseInt(id)+".tmp"]);
 		return FileStorage.instance.readFile(
@@ -201,7 +205,7 @@ class Repo implements SiteApi {
 				Manager.cnx.startTransaction();
 
 				var u = User.manager.search({ name : user }).first();
-				if( u == null || u.pass != pass ) {
+				if( u == null || u.pass != hashedPassword ) {
 					Manager.cnx.rollback();
 					throw "Invalid username or password";
 				}