Feat: Hash metrics password (#1778)

hash the metrics password

if it is not already hashed

src/server/database/repositories/general/service.ts

@@ -107,7 +107,15 @@ export class GeneralService {
     };
   }
 
-  update(data: GeneralUpdateType) {
+  async update(data: GeneralUpdateType) {
+    // only hash the password if it is not already hashed
+    if (
+      data.metricsPassword !== null &&
+      !isValidPasswordHash(data.metricsPassword)
+    ) {
+      data.metricsPassword = await hashPassword(data.metricsPassword);
+    }
+
     return this.#db.update(general).set(data).execute();
   }
 

src/server/database/repositories/general/types.ts

@@ -11,7 +11,6 @@ const metricsEnabled = z.boolean({ message: t('zod.general.metricsEnabled') });
 const metricsPassword = z
   .string({ message: t('zod.general.metricsPassword') })
   .min(1, { message: t('zod.general.metricsPassword') })
-  // TODO?: validate argon2 regex
   .nullable();
 
 export const GeneralUpdateSchema = z.object({

src/server/utils/password.ts

@@ -1,4 +1,5 @@
 import argon2 from 'argon2';
+import { deserialize } from '@phc/format';
 
 /**
  * Checks if `password` matches the hash.
@@ -16,3 +17,21 @@ export function isPasswordValid(
 export async function hashPassword(password: string): Promise<string> {
   return argon2.hash(password);
 }
+
+/**
+ * Checks if the password hash is valid.
+ * This only checks if the hash is a valid PHC formatted string using argon2.
+ */
+export function isValidPasswordHash(hash: string): boolean {
+  try {
+    const obj = deserialize(hash);
+
+    if (obj.id !== 'argon2i' && obj.id !== 'argon2d' && obj.id !== 'argon2id') {
+      return false;
+    }
+
+    return true;
+  } catch {
+    return false;
+  }
+}