adolforeyna/EMI-Backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(auth): remove security plan doc and marker comments

Browse Source
This commit is contained in:
Adolfo Reyna
2026-02-20 21:22:47 -05:00
parent 19d805d322
commit f3a782a360
3 changed files with 0 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
auth/authEmail.js
View File

@@ -47,7 +47,6 @@ const createSessionFromUser = async ({ DB, user, req, res }) => {
// When new users are subscribed, they have a single profile, which is the personal one.
// Other profiles can be link to that user, like groups or courses.
const signup = async function (req, res) {
// SECURITY FIX (#2): only accept credentials from request body.
const username = (req.body.username || "").trim().toLowerCase();
const password = req.body.password;
const email = (req.body.email || "").trim().toLowerCase();
@@ -68,9 +67,6 @@ const signup = async function (req, res) {
}
let isUserAlreadyRegistered = await DB.getUser(email);
if (isUserAlreadyRegistered && isUserAlreadyRegistered._id) return res.json({ status: "This user is already registered" });
// SECURITY PLAN (point #5):
// bcrypt.hash already includes a per-password salt.
// Future hardening: centralize cost factor policy (and consider rehash-on-login).
const hashedPassword = await bcrypt.hash(password, 10);
const newUserObject = await DB.newUser({
username,
@@ -115,7 +111,6 @@ const login = async function (req, res) {
if (userInfo) return res.redirect('/');
}
const invalidCredentials = () => res.status(401).json({ status: "Invalid credentials" });
// SECURITY FIX (#2): only accept credentials from request body.
const username = (req.body.username || req.body.email || "").trim().toLowerCase();
const password = req.body.password || "";
if (!username || !password) return invalidCredentials();
@@ -128,11 +123,7 @@ const login = async function (req, res) {
properties: { username },
});
}
// SECURITY PLAN (point #5):
// bcrypt.compare validates salted hashes directly; no manual salt parameter is needed.
// SECURITY FIX (#4): compare against dummy hash when user doesn't exist to reduce timing side-channel.
const isSamePassword = await bcrypt.compare(password, user?.password || DUMMY_BCRYPT_HASH);
// SECURITY FIX (#4): same response for non-existing user and wrong password.
if (!user || !isSamePassword) return invalidCredentials();
try {
return res.json(await createSessionFromUser({ DB, user, req, res }));
@@ -170,7 +161,6 @@ const logout = async function (req, res) {
const resetPassword = async function (req, res) {
const DB = await MongoDB.getDB;
// SECURITY FIX (#1): issue a single-use token instead of sending/changing passwords.
const genericResetResponse = {
status: "ok",
details: "If the account exists, check your email for next steps"