remove jssha and add bcrypt for password hashing with salt

2025-08-21 10:52:29 +02:00
parent 723ec0773d
commit ec15095da3
6 changed files with 48 additions and 21 deletions
--- a/src/init/init_db.ts
+++ b/src/init/init_db.ts
@@ -1,5 +1,5 @@
 import Database from 'better-sqlite3';
-import jsSHA from 'jssha';
+import bcrypt from 'bcrypt';

 const db = new Database('./src/lib/data/tatort.db');

@@ -11,7 +11,8 @@ db.exec(createSQLStmt);

 // check if there are any users; if not add one default admin one
 const userPassword = 'A-InnoHUB_2025!';
-const hashedUserPassword = new jsSHA('SHA-512', 'TEXT').update(userPassword).getHash('HEX');
+const saltRounds = 12;
+const hashedUserPassword = bcrypt.hashSync(userPassword, saltRounds);
 const checkInsertSQLStmt = `INSERT INTO users (name, pw) SELECT 'admin', '${hashedUserPassword}'
                    WHERE NOT EXISTS (SELECT * FROM users);`;

--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -1,5 +1,5 @@
 import jwt from 'jsonwebtoken';
-import jsSHA from 'jssha';
+import bcrypt from 'bcrypt';
 import { db } from '$lib/server/dbService';

 import config from '$lib/config';
@@ -18,9 +18,6 @@ export function decryptToken(token: string) {
 export function authenticate(user, password) {
 	let JWTToken;

-	// hash user password
-	const hashedPW = new jsSHA('SHA-512', 'TEXT').update(password).getHash('HEX');
-
 	const getUserSQLStmt = 'SELECT name, pw FROM users WHERE name = ?';
 	const row = db.prepare(getUserSQLStmt).get(user);

@@ -29,7 +26,8 @@ export function authenticate(user, password) {
 	}
 	const storedPW = row.pw;

-	if (hashedPW && hashedPW === storedPW) {
+	const isValid = bcrypt.compareSync(password, storedPW)
+	if (isValid) {
 		JWTToken = createToken({ id: user, admin: true });
 	}

--- a/src/routes/(angemeldet)/user-management/+page.svelte
+++ b/src/routes/(angemeldet)/user-management/+page.svelte
@@ -45,8 +45,7 @@
 		}

 		const URL = '/api/users';
-		const hashedUserPassword = new jsSHA('SHA-512', 'TEXT').update(userPassword).getHash('HEX');
-		const userData = { userName: userName, userPassword: hashedUserPassword };
+		const userData = { userName: userName, userPassword: userPassword };

 		try {
 			const response = await fetch(URL, {
--- a/src/routes/api/users/+server.ts
+++ b/src/routes/api/users/+server.ts
@@ -1,5 +1,8 @@
 import { json } from '@sveltejs/kit';
 import { addUser, getUsers } from '$lib/server/userService';
+import bcrypt from 'bcrypt';
+
+const saltRounds = 12;

 export function GET({ locals }) {
 	if (!locals.user) {
@@ -24,7 +27,8 @@ export async function POST({ request, locals }) {
 		return json({ error: 'Missing input' }, { status: 400 });
 	}

-	const rowInfo = addUser(userName, userPassword);
+	const hashedPassword = bcrypt.hashSync(userPassword, saltRounds);
+	const rowInfo = addUser(userName, hashedPassword);

 	if (rowInfo?.changes == 1) {
 		return json({ userId: rowInfo.lastInsertRowid, userName: userName }, { status: 201 });