feat: Create the user_passwords module

Blckbrry-Pi · Blckbrry-Pi · commit 7a771d26a2f8 · 2024-07-19T19:48:28.000-04:00
diff --git a/modules/user_passwords/db/migrations/20240705023048_init/migration.sql b/modules/user_passwords/db/migrations/20240705023048_init/migration.sql
@@ -0,0 +1,8 @@
+-- CreateTable
+CREATE TABLE "Passwords" (
+    "userId" UUID NOT NULL,
+    "passwordHash" TEXT NOT NULL,
+    "algo" TEXT NOT NULL,
+
+    CONSTRAINT "Passwords_pkey" PRIMARY KEY ("userId")
+);
diff --git a/modules/user_passwords/db/migrations/migration_lock.toml b/modules/user_passwords/db/migrations/migration_lock.toml
@@ -0,0 +1,3 @@
+# Please do not edit this file manually
+# It should be added in your version-control system (i.e. Git)
+provider = "postgresql"
diff --git a/modules/user_passwords/db/schema.prisma b/modules/user_passwords/db/schema.prisma
@@ -0,0 +1,11 @@
+// Do not modify this `datasource` block
+datasource db {
+	provider = "postgresql"
+	url      = env("DATABASE_URL")
+}
+
+model Passwords {
+    userId          String      @db.Uuid @id
+	passwordHash    String
+	algo            String
+}
diff --git a/modules/user_passwords/module.json b/modules/user_passwords/module.json
@@ -0,0 +1,32 @@
+{
+	"name": "User Password Verifier",
+	"dependencies": {
+		"users": {},
+		"rate_limit": {}
+	},
+	"scripts": {
+		"verify": {
+			"name": "Verify Password for User ID",
+			"description": "Verify that the provided password matches the provided user ID. Errors on mismatch."
+		},
+		"add": {
+			"name": "Add Password for User",
+			"description": "Register a new userID/password combination. Errors if user already has a password."
+		},
+		"update": {
+			"name": "Update Password for User",
+			"description": "Update a userID/password combination. Errors if user does not have a password."
+		}
+	},
+    "errors": {
+        "user_already_has_password": {
+            "name": "User already has a password"
+        },
+        "user_does_not_have_password": {
+            "name": "User does not yet have a password"
+        },
+        "password_invalid": {
+            "name": "Password is Invalid"
+        }
+    }
+}
diff --git a/modules/user_passwords/scripts/add.ts b/modules/user_passwords/scripts/add.ts
@@ -0,0 +1,48 @@
+import { Empty, RuntimeError, ScriptContext } from "../module.gen.ts";
+import { ALGORITHM_DEFAULT, Algorithm, hash } from "../utils/common.ts";
+
+export interface Request {
+	userId: string;
+    password: string;
+    algorithm?: Algorithm;
+}
+
+export type Response = Empty;
+
+export async function run(
+	ctx: ScriptContext,
+	req: Request,
+): Promise<Response> {
+    await ctx.modules.rateLimit.throttle({
+        key: req.userId,
+        period: 10,
+        requests: 10,
+        type: "user",
+    });
+
+    // Check if the user exists before hashing the password to save compute
+    // resources
+    const user = await ctx.db.passwords.findFirst({
+        where: {
+            userId: req.userId,
+        },
+    });
+    if (user) {
+        throw new RuntimeError("user_already_has_password");
+    }
+
+    // Hash the password
+    const algo = req.algorithm || ALGORITHM_DEFAULT;
+    const passwordHash = await hash(req.password, algo);
+
+    // Create an entry for the user's password
+    await ctx.db.passwords.create({
+        data: {
+            userId: req.userId,
+            passwordHash,
+            algo,
+        },
+    });
+
+    return {};
+}
diff --git a/modules/user_passwords/scripts/update.ts b/modules/user_passwords/scripts/update.ts
@@ -0,0 +1,50 @@
+import { Empty, RuntimeError, ScriptContext } from "../module.gen.ts";
+import { ALGORITHM_DEFAULT, Algorithm, hash } from "../utils/common.ts";
+
+export interface Request {
+	userId: string;
+    newPassword: string;
+    newAlgorithm?: Algorithm;
+}
+
+export type Response = Empty;
+
+export async function run(
+	ctx: ScriptContext,
+	req: Request,
+): Promise<Response> {
+    await ctx.modules.rateLimit.throttle({
+        key: req.userId,
+        period: 10,
+        requests: 10,
+        type: "user",
+    });
+
+    // Ensure the user exists before hashing the password to save compute
+    // resources
+    const user = await ctx.db.passwords.findFirst({
+        where: {
+            userId: req.userId,
+        },
+    });
+    if (!user) {
+        throw new RuntimeError("user_does_not_have_password");
+    }
+
+    // Hash the password
+    const algo = req.newAlgorithm || ALGORITHM_DEFAULT;
+    const passwordHash = await hash(req.newPassword, algo);
+
+    // Update the entry for the user's password
+    await ctx.db.passwords.update({
+        where: {
+            userId: req.userId,
+        },
+        data: {
+            passwordHash,
+            algo,
+        },
+    });
+
+    return {};
+}
diff --git a/modules/user_passwords/scripts/verify.ts b/modules/user_passwords/scripts/verify.ts
@@ -0,0 +1,44 @@
+import { Empty, RuntimeError, ScriptContext } from "../module.gen.ts";
+import { Algorithm, hashMatches } from "../utils/common.ts";
+
+export interface Request {
+	userId: string;
+    passGuess: string;
+}
+
+export type Response = Empty;
+
+export async function run(
+	ctx: ScriptContext,
+	req: Request,
+): Promise<Response> {
+    await ctx.modules.rateLimit.throttle({
+        key: req.userId,
+        period: 10,
+        requests: 10,
+        type: "user",
+    });
+
+    // Look up the user password hash
+    const user = await ctx.db.passwords.findFirst({
+        where: {
+            userId: req.userId,
+        },
+        select: {
+            algo: true,
+            passwordHash: true,
+        }
+    });
+    if (!user) throw new RuntimeError("user_does_not_have_password");
+
+    // Verify the passwordHash
+    const passwordMatches = await hashMatches(
+        req.passGuess,
+        user.passwordHash,
+        user.algo as Algorithm,
+    );
+
+    if (!passwordMatches) throw new RuntimeError("password_invalid");
+
+    return {};
+}
diff --git a/modules/user_passwords/tests/algorithms.ts b/modules/user_passwords/tests/algorithms.ts
@@ -0,0 +1,46 @@
+import { test, TestContext } from "../module.gen.ts";
+import { assertExists } from "https://deno.land/std@0.217.0/assert/mod.ts";
+import { faker } from "https://deno.land/x/deno_faker@v1.0.3/mod.ts";
+
+test("algorithms", async (ctx: TestContext) => {
+    const { user } = await ctx.modules.users.create({
+        username: faker.internet.userName(),
+    });
+    assertExists(user);
+
+    // Set up user
+    await ctx.modules.userPasswords.add({ userId: user.id, password: "password" });
+
+    // NOTE: Argon2 is temporarily disabled due to its reliance on `Deno.dlopen`
+    // const algorithms = ["argon2", "bcrypt", "scrypt"] as const;
+    const algorithms = ["bcrypt", "scrypt"] as const;
+    for (const algorithm of algorithms) {
+        // Register password
+        const password = faker.internet.password();
+        await ctx.modules.userPasswords.update({
+            userId: user.id,
+            newPassword: password,
+            newAlgorithm: algorithm,
+        });
+
+        // Verify password
+        await ctx.modules.userPasswords.verify({
+            userId: user.id,
+            passGuess: password,
+        });
+
+        // Change password
+        const newPass = faker.internet.password();
+        await ctx.modules.userPasswords.update({
+            userId: user.id,
+            newPassword: newPass,
+            newAlgorithm: algorithm,
+        });
+
+        // Verify new password
+        await ctx.modules.userPasswords.verify({
+            userId: user.id,
+            passGuess: newPass,
+        });
+    }
+});
diff --git a/modules/user_passwords/tests/verify.ts b/modules/user_passwords/tests/verify.ts
@@ -0,0 +1,94 @@
+import { test, TestContext } from "../module.gen.ts";
+import { assertExists, assertEquals, assertRejects } from "https://deno.land/std@0.217.0/assert/mod.ts";
+import { faker } from "https://deno.land/x/deno_faker@v1.0.3/mod.ts";
+import { RuntimeError } from "../module.gen.ts";
+
+test("accept_matching_password", async (ctx: TestContext) => {
+	const { user } = await ctx.modules.users.create({
+		username: faker.internet.userName(),
+	});
+	assertExists(user);
+
+	// Register password
+	const password = faker.internet.password();
+	await ctx.modules.userPasswords.add({
+		userId: user.id,
+		password,
+	});
+
+	// Verify password
+	await ctx.modules.userPasswords.verify({
+		userId: user.id,
+		passGuess: password,
+	});
+
+	// Change password
+	const newPass = faker.internet.password();
+	await ctx.modules.userPasswords.update({
+		userId: user.id,
+		newPassword: newPass,
+	});
+
+	// Verify new password
+	await ctx.modules.userPasswords.verify({
+		userId: user.id,
+		passGuess: newPass,
+	});
+});
+
+
+test("reject_different_password", async (ctx: TestContext) => {
+	const { user } = await ctx.modules.users.create({
+		username: faker.internet.userName(),
+	});
+	assertExists(user);
+
+	// Register password
+	const password = faker.internet.password();
+	await ctx.modules.userPasswords.add({
+		userId: user.id,
+		password,
+	});
+
+	const wrongPassword = faker.internet.password();
+
+	// Verify incorrect password
+	const error = await assertRejects(async () => {
+		await ctx.modules.userPasswords.verify({
+			userId: user.id,
+			passGuess: wrongPassword,
+		});
+	}, RuntimeError);
+
+	// Verify error message
+	assertExists(error.message);
+	assertEquals(error.code, "password_invalid");
+});
+
+test("reject_unregistered", async (ctx: TestContext) => {
+	const { user } = await ctx.modules.users.create({
+		username: faker.internet.userName(),
+	});
+	assertExists(user);
+
+	// Register password
+	const password = faker.internet.password();
+	await ctx.modules.userPasswords.add({
+		userId: user.id,
+		password,
+	});
+
+	const wrongPassword = faker.internet.password();
+
+	// Verify "correct" password with unregistered user
+	const error = await assertRejects(async () => {
+		await ctx.modules.userPasswords.verify({
+			userId: crypto.randomUUID(),
+			passGuess: wrongPassword,
+		});
+	}, RuntimeError);
+
+	// Verify error message
+	assertExists(error.message);
+	assertEquals(error.code, "user_does_not_have_password");
+});
diff --git a/modules/user_passwords/utils/argon2.ts b/modules/user_passwords/utils/argon2.ts
@@ -0,0 +1,31 @@
+import {
+    hash as hashArgon2,
+    HashOptions,
+    ThreadMode,
+    Variant,
+    verify as verifyArgon2,
+    Version,
+} from "https://deno.land/x/argon2_ffi@v1.0.5/mod.ts";
+import { generateSalt } from "./common.ts";
+
+// OWASP recommended defaults
+const argon2Defaults: Partial<HashOptions> = {
+    timeCost: 3, // 3 iterations
+    memoryCost: 12 * 1024, // 12MiB of memory
+    lanes: 1,
+    threadMode: ThreadMode.Parallel,
+
+    variant: Variant.Argon2id,
+    version: Version.V13,
+};
+
+export function createHash(password: string) {
+    return hashArgon2(password, {
+        ...argon2Defaults,
+        salt: generateSalt(),
+    });
+}
+
+export function hashMatches(guess: string, hash: string) {
+    return verifyArgon2(guess, hash);
+}
diff --git a/modules/user_passwords/utils/bcrypt.ts b/modules/user_passwords/utils/bcrypt.ts
@@ -0,0 +1,9 @@
+import { hash as hashBCrypt, compare } from "https://deno.land/x/bcrypt@v0.4.1/mod.ts";
+
+export function createHash(password: string) {
+    return hashBCrypt(password);
+}
+
+export function hashMatches(guess: string, hash: string) {
+    return compare(guess, hash);
+}
diff --git a/modules/user_passwords/utils/common.ts b/modules/user_passwords/utils/common.ts
diff --git a/modules/user_passwords/utils/scrypt.ts b/modules/user_passwords/utils/scrypt.ts
diff --git a/tests/basic/backend.json b/tests/basic/backend.json
diff --git a/tests/basic/deno.lock b/tests/basic/deno.lock

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# Please do not edit this file manually`
	`2`	`+# It should be added in your version-control system (i.e. Git)`
	`3`	`+provider = "postgresql"`