Merge pull request #1940 from thelounge/xpaw/fix-1934

Hash user tokens, increase token entropy

src/client.js

@@ -94,6 +94,27 @@ function Client(manager, name, config) {
 
 	if (typeof client.config.sessions !== "object") {
 		client.config.sessions = {};
+	} else {
+		// TODO: This is just for backwards compatibility. Remove in v3.0.0
+		const newSessions = {};
+		let changed = false;
+
+		_.forOwn(client.config.sessions, (session, key) => {
+			if (key.length !== 128) {
+				key = client.calculateTokenHash(key);
+				changed = true;
+			}
+
+			newSessions[key] = session;
+		});
+
+		if (changed) {
+			log.info(`User ${colors.bold(client.name)} has been updated with new security requirements for tokens.`);
+
+			delete client.config.token;
+			client.config.sessions = newSessions;
+			client.save();
+		}
 	}
 
 	_.forOwn(client.config.sessions, (session) => {
@@ -282,7 +303,7 @@ Client.prototype.connect = function(args) {
 };
 
 Client.prototype.generateToken = function(callback) {
-	crypto.randomBytes(48, (err, buf) => {
+	crypto.randomBytes(64, (err, buf) => {
 		if (err) {
 			throw err;
 		}
@@ -291,6 +312,10 @@ Client.prototype.generateToken = function(callback) {
 	});
 };
 
+Client.prototype.calculateTokenHash = function(token) {
+	return crypto.createHash("sha512").update(token).digest("hex");
+};
+
 Client.prototype.updateSession = function(token, ip, request) {
 	const client = this;
 	const agent = UAParser(request.headers["user-agent"] || "");

src/server.js

@@ -389,7 +389,7 @@ function initializeClient(socket, client, token, lastMessage) {
 	});
 
 	socket.on("push:register", (subscription) => {
-		if (!client.isRegistered() || !client.config.sessions[token]) {
+		if (!client.isRegistered() || !client.config.sessions.hasOwnProperty(token)) {
 			return;
 		}
 
@@ -434,7 +434,7 @@ function initializeClient(socket, client, token, lastMessage) {
 			tokenToSignOut = token;
 		}
 
-		if (!(tokenToSignOut in client.config.sessions)) {
+		if (!client.config.sessions.hasOwnProperty(tokenToSignOut)) {
 			return;
 		}
 
@@ -475,11 +475,11 @@ function initializeClient(socket, client, token, lastMessage) {
 
 	if (!Helper.config.public && token === null) {
 		client.generateToken((newToken) => {
-			client.attachedClients[socket.id].token = token = newToken;
+			client.attachedClients[socket.id].token = token = client.calculateTokenHash(newToken);
 
 			client.updateSession(token, getClientIp(socket), socket.request);
 
-			sendInitEvent(token);
+			sendInitEvent(newToken);
 		});
 	} else {
 		sendInitEvent(null);
@@ -519,8 +519,9 @@ function getServerConfiguration() {
 function performAuthentication(data) {
 	const socket = this;
 	let client;
+	let token = null;
 
-	const finalInit = () => initializeClient(socket, client, data.token || null, data.lastMessage || -1);
+	const finalInit = () => initializeClient(socket, client, token, data.lastMessage || -1);
 
 	const initClient = () => {
 		socket.emit("configuration", getClientConfiguration());
@@ -572,11 +573,16 @@ function performAuthentication(data) {
 	client = manager.findClient(data.user);
 
 	// We have found an existing user and client has provided a token
-	if (client && data.token && typeof client.config.sessions[data.token] !== "undefined") {
-		client.updateSession(data.token, getClientIp(socket), socket.request);
+	if (client && data.token) {
+		const providedToken = client.calculateTokenHash(data.token);
 
-		authCallback(true);
-		return;
+		if (client.config.sessions.hasOwnProperty(providedToken)) {
+			token = providedToken;
+
+			client.updateSession(providedToken, getClientIp(socket), socket.request);
+
+			return authCallback(true);
+		}
 	}
 
 	// Perform password checking