Skip to content

Commit 1b2f334

Browse files
devksingh4devksingh4
committed
Do not store hash secret in the DB
1 parent d984a40 commit 1b2f334

File tree

2 files changed

+48
-2
lines changed

2 files changed

+48
-2
lines changed

src/api/functions/uin.ts

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
import { DynamoDBClient, PutItemCommand } from "@aws-sdk/client-dynamodb";
22
import { marshall } from "@aws-sdk/util-dynamodb";
3-
import { hash } from "argon2";
3+
import { argon2id, hash } from "argon2";
44
import { genericConfig } from "common/config.js";
55
import {
66
BaseError,
@@ -93,7 +93,17 @@ export async function getUinHash({
9393
pepper,
9494
uin,
9595
}: HashUinInputs): Promise<string> {
96-
return hash(uin, { salt: Buffer.from(pepper) });
96+
// we set the defaults again because we do direct string comparisions
97+
return hash(uin, {
98+
secret: Buffer.from(pepper),
99+
hashLength: 32,
100+
timeCost: 3,
101+
memoryCost: 65536,
102+
parallelism: 4,
103+
type: argon2id,
104+
version: 19,
105+
salt: Buffer.from("acmuiucuin"),
106+
});
97107
}
98108

99109
export async function getHashedUserUin({

tests/unit/functions/uin.test.ts

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
import { describe, expect, test } from "vitest";
2+
import { getUinHash } from "../../../src/api/functions/uin.js";
3+
4+
describe("UIN hashing test", async () => {
5+
test("Hashes are the same as previously run", async () => {
6+
const pepper = "2c8feda7-17af-4cd1-b783-0097f61a99f9"
7+
const uin = "123456789";
8+
const expectedHash = "$argon2id$v=19$m=65536,t=3,p=4$YWNtdWl1Y3Vpbg$nTyHsSnzvhe9+UIVEb/ol+k8dU1qTSEFoui6Hq8KbBY"
9+
const hashed = await getUinHash({
10+
pepper, uin
11+
});
12+
expect(hashed).toStrictEqual(expectedHash);
13+
})
14+
test("Hashes are the same from run to run", async () => {
15+
const pepper = "c84b88f6-81cb-4748-b4a7-212431e10bbe"
16+
const uin = "123456789";
17+
const hashed1 = await getUinHash({
18+
pepper, uin
19+
});
20+
const hashed2 = await getUinHash({
21+
pepper, uin
22+
});
23+
expect(hashed1).toStrictEqual(hashed2);
24+
})
25+
test("Hashes are different from run to run", async () => {
26+
const pepper = "c84b88f6-81cb-4748-b4a7-212431e10bbe"
27+
const uin = "123456789";
28+
const hashed1 = await getUinHash({
29+
pepper, uin
30+
});
31+
const hashed2 = await getUinHash({
32+
pepper, uin: "987654321"
33+
});
34+
expect(hashed1).not.toStrictEqual(hashed2);
35+
})
36+
})

0 commit comments

Comments
 (0)