✨ Add hash support in basic auth (#943)

2025-01-12 05:17:28 -08:00 · 2020-09-10 17:49:44 +02:00 · 2020-09-10 17:49:44 +02:00 · 2a6f4ebf86
parent fccbd48937
commit 2a6f4ebf86
3 changed files with 14 additions and 3 deletions
--- a/packages/cli/config/index.ts
+++ b/packages/cli/config/index.ts
@ -319,6 +319,12 @@ const config = convict({
 				env: 'N8N_BASIC_AUTH_PASSWORD',
 				doc: 'The password of the basic auth user'
 			},
+			hash: {
+				format: 'Boolean',
+				default: false,
+				env: 'N8N_BASIC_AUTH_HASH',
+				doc: 'If password for basic auth is hashed'
+			}
 		},
 		jwtAuth: {
 			active: {
--- a/packages/cli/package.json
+++ b/packages/cli/package.json
@ -54,6 +54,7 @@
    "devDependencies": {
        "@oclif/dev-cli": "^1.22.2",
        "@types/basic-auth": "^1.1.2",
+        "@types/bcrypt": "^3.0.0",
        "@types/compression": "1.0.1",
        "@types/connect-history-api-fallback": "^1.3.1",
        "@types/convict": "^4.2.1",
@ -72,15 +73,16 @@
        "p-cancelable": "^2.0.0",
        "run-script-os": "^1.0.7",
        "ts-jest": "^25.4.0",
+        "ts-node": "^8.9.1",
        "tslint": "^6.1.2",
-        "typescript": "~3.7.4",
-        "ts-node": "^8.9.1"
+        "typescript": "~3.7.4"
    },
    "dependencies": {
        "@oclif/command": "^1.5.18",
        "@oclif/errors": "^1.2.2",
        "@types/jsonwebtoken": "^8.3.4",
        "basic-auth": "^2.0.1",
+        "bcrypt": "^5.0.0",
        "body-parser": "^1.18.3",
        "body-parser-xml": "^1.1.0",
        "client-oauth2": "^4.2.5",
--- a/packages/cli/src/Server.ts
+++ b/packages/cli/src/Server.ts
@ -20,6 +20,7 @@ import { RequestOptions } from 'oauth-1.0a';
 import * as csrf from 'csrf';
 import * as requestPromise from 'request-promise-native';
 import { createHmac } from 'crypto';
+import { compareSync } from 'bcrypt';

 import {
 	ActiveExecutions,
@ -186,6 +187,8 @@ class App {
 				throw new Error('Basic auth is activated but no password got defined. Please set one!');
 			}

+			const basicAuthHashEnabled = await GenericHelpers.getConfigValue('security.basicAuth.hash') as boolean;
+
 			this.app.use((req: express.Request, res: express.Response, next: express.NextFunction) => {
 				if (req.url.match(authIgnoreRegex)) {
 					return next();
@ -198,7 +201,7 @@ class App {
 					return ResponseHelper.basicAuthAuthorizationError(res, realm, 'Authorization is required!');
 				}

-				if (basicAuthData.name !== basicAuthUser || basicAuthData.pass !== basicAuthPassword) {
+				if (basicAuthData.name !== basicAuthUser || (!basicAuthHashEnabled && basicAuthData.pass !== basicAuthPassword) || (basicAuthHashEnabled && compareSync(basicAuthData.pass, basicAuthPassword) === false)) {
 					// Provided authentication data is wrong
 					return ResponseHelper.basicAuthAuthorizationError(res, realm, 'Authorization data is wrong!');
 				}