diff --git a/website/server/controllers/api-v3/auth.js b/website/server/controllers/api-v3/auth.js index b5aa5ccbb0..fd277377bf 100644 --- a/website/server/controllers/api-v3/auth.js +++ b/website/server/controllers/api-v3/auth.js @@ -125,6 +125,7 @@ api.registerLocal = { email, salt, hashed_password, // eslint-disable-line camelcase + passwordHashMethod: 'sha1', }, }, preferences: { diff --git a/website/server/models/user/hooks.js b/website/server/models/user/hooks.js index 3b245a5851..5c15db3733 100644 --- a/website/server/models/user/hooks.js +++ b/website/server/models/user/hooks.js @@ -10,7 +10,7 @@ import schema from './schema'; schema.plugin(baseModel, { // noSet is not used as updating uses a whitelist and creating only accepts specific params (password, email, username, ...) noSet: [], - private: ['auth.local.hashed_password', 'auth.local.salt', '_cronSignature', '_ABtest', '_ABtests'], + private: ['auth.local.hashed_password', 'auth.local.passwordHashMethod', 'auth.local.salt', '_cronSignature', '_ABtest', '_ABtests'], toJSONTransform: function userToJSON (plainObj, originalDoc) { plainObj._tmp = originalDoc._tmp; // be sure to send down drop notifs delete plainObj.filters; diff --git a/website/server/models/user/schema.js b/website/server/models/user/schema.js index 36c038a120..223c6020e9 100644 --- a/website/server/models/user/schema.js +++ b/website/server/models/user/schema.js @@ -54,7 +54,12 @@ let schema = new Schema({ // Store a lowercase version of username to check for duplicates lowerCaseUsername: String, hashed_password: String, // eslint-disable-line camelcase - salt: String, + // Legacy password are hashed with SHA1, new ones with bcrypt + passwordHashMethod: { + type: String, + enum: ['bcrypt', 'sha1'], + }, + salt: String, // Salt for SHA1 encrypted passwords, not stored for bcrypt }, timestamps: { created: {type: Date, default: Date.now},