feat(auth): make crypto async

- Update tests and add new test for changed password
- User.authenticate() User.makeSalt() and User.encryptPassword() public API remains same
- User.authenticate() User.makeSalt() and User.encryptPassword() callbacks are optional

- Change User schema from hashedPassword to password
- Remove unnecessary virtual attribute User.password, getters and setters are not async

Author: Patrick Baker

app/templates/server/.jshintrc

@@ -1,4 +1,5 @@
 {
+  "expr": true,
   "node": true,
   "esnext": true,
   "bitwise": true,

app/templates/server/api/user(auth)/user.controller.js

@@ -14,7 +14,7 @@ var validationError = function(res, err) {
  * restriction: 'admin'
  */
 exports.index = function(req, res) {
-  User.find({}, '-salt -hashedPassword', function (err, users) {
+  User.find({}, '-salt -password', function (err, users) {
     if(err) return res.send(500, err);
     res.json(200, users);
   });
@@ -67,15 +67,19 @@ exports.changePassword = function(req, res, next) {
   var newPass = String(req.body.newPassword);
 
   User.findById(userId, function (err, user) {
-    if(user.authenticate(oldPass)) {
-      user.password = newPass;
-      user.save(function(err) {
-        if (err) return validationError(res, err);
-        res.send(200);
-      });
-    } else {
-      res.send(403);
-    }
+    user.authenticate(oldPass, function(authErr, authenticated) {
+      if (authErr) res.send(403);
+
+      if (authenticated) {
+        user.password = newPass;
+        user.save(function(err) {
+          if (err) return validationError(res, err);
+          res.send(200);
+        });
+      } else {
+        res.send(403);
+      }
+    });
   });
 };
 
@@ -86,7 +90,7 @@ exports.me = function(req, res, next) {
   var userId = req.user._id;
   User.findOne({
     _id: userId
-  }, '-salt -hashedPassword', function(err, user) { // don't ever give out the password or salt
+  }, '-salt -password', function(err, user) { // don't ever give out the password or salt
     if (err) return next(err);
     if (!user) return res.json(401);
     res.json(user);

app/templates/server/api/user(auth)/user.model.js

@@ -12,7 +12,7 @@ var UserSchema = new Schema({
     type: String,
     default: 'user'
   },
-  hashedPassword: String,
+  password: String,
   provider: String,
   salt: String<% if (filters.oauth) { %>,<% if (filters.facebookAuth) { %>
   facebook: {},<% } %><% if (filters.twitterAuth) { %>
@@ -24,16 +24,6 @@ var UserSchema = new Schema({
 /**
  * Virtuals
  */
-UserSchema
-  .virtual('password')
-  .set(function(password) {
-    this._password = password;
-    this.salt = this.makeSalt();
-    this.hashedPassword = this.encryptPassword(password);
-  })
-  .get(function() {
-    return this._password;
-  });
 
 // Public profile information
 UserSchema
@@ -69,10 +59,10 @@ UserSchema
 
 // Validate empty password
 UserSchema
-  .path('hashedPassword')
-  .validate(function(hashedPassword) {<% if (filters.oauth) { %>
+  .path('password')
+  .validate(function(password) {<% if (filters.oauth) { %>
     if (authTypes.indexOf(this.provider) !== -1) return true;<% } %>
-    return hashedPassword.length;
+    return password.length;
   }, 'Password cannot be blank');
 
 // Validate email is not taken
@@ -99,12 +89,26 @@ var validatePresenceOf = function(value) {
  */
 UserSchema
   .pre('save', function(next) {
-    if (!this.isNew) return next();
-
-    if (!validatePresenceOf(this.hashedPassword)<% if (filters.oauth) { %> && authTypes.indexOf(this.provider) === -1<% } %>)
-      next(new Error('Invalid password'));
-    else
+    // Handle new/update passwords
+    if (this.password) {
+      if (!validatePresenceOf(this.password)<% if (filters.oauth) { %> && authTypes.indexOf(this.provider) === -1<% } %>)
+        next(new Error('Invalid password'));
+
+      // Make salt with a callback
+      var _this = this;
+      this.makeSalt(function(saltErr, salt) {
+        if (saltErr) next(saltErr);
+        _this.salt = salt;
+        // Async hash
+        _this.encryptPassword(_this.password, function(encryptErr, hashedPassword) {
+          if (encryptErr) next(encryptErr);
+          _this.password = hashedPassword;
+          next();
+        });
+      });
+    } else {
       next();
+    }
   });
 
 /**
@@ -115,34 +119,82 @@ UserSchema.methods = {
    * Authenticate - check if the passwords are the same
    *
    * @param {String} plainText
+   * @callback {callback} Optional callback
    * @return {Boolean}
    * @api public
    */
-  authenticate: function(plainText) {
-    return this.encryptPassword(plainText) === this.hashedPassword;
+  authenticate: function(password, callback) {
+    if (!callback)
+      return this.password === this.encryptPassword(password);
+
+    var _this = this;
+    this.encryptPassword(password, function(err, pwdGen) {
+      if (err) callback(err);
+
+      if (_this.password === pwdGen) {
+        callback(null, true);
+      } else {
+        callback(null, false);
+      }
+    });
   },
 
   /**
    * Make salt
    *
+   * @param {Number} byteSize Optional salt byte size, default to 16
+   * @callback {callback} Optional callback
    * @return {String}
    * @api public
    */
-  makeSalt: function() {
-    return crypto.randomBytes(16).toString('base64');
+  makeSalt: function(byteSize, callback) {
+    var defaultByteSize = 16;
+
+    if (typeof arguments[0] === 'function') {
+      callback = arguments[0];
+      byteSize = defaultByteSize;
+    } else if (typeof arguments[1] === 'function') {
+      callback = arguments[1];
+    }
+
+    if (!byteSize) {
+      byteSize = defaultByteSize;
+    }
+
+    if (!callback) {
+      return crypto.randomBytes(byteSize).toString('base64');
+    }
+
+    return crypto.randomBytes(byteSize, function(err, salt) {
+      if (err) callback(err);
+      return callback(null, salt.toString('base64'));
+    });
   },
 
   /**
    * Encrypt password
    *
    * @param {String} password
+   * @callback {callback} Optional callback
    * @return {String}
    * @api public
    */
-  encryptPassword: function(password) {
-    if (!password || !this.salt) return '';
+  encryptPassword: function(password, callback) {
+    if (!password || !this.salt) {
+      return null;
+    }
+
+    var defaultIterations = 10000;
+    var defaultKeyLength = 64;
     var salt = new Buffer(this.salt, 'base64');
-    return crypto.pbkdf2Sync(password, salt, 10000, 64).toString('base64');
+
+    if (!callback)
+      return crypto.pbkdf2Sync(password, salt, defaultIterations, defaultKeyLength).toString('base64');
+
+    return crypto.pbkdf2(password, salt, defaultIterations, defaultKeyLength, function(err, key) {
+      if (err) callback(err);
+      return callback(null, key.toString('base64'));
+    });
   }
 };
 

app/templates/server/api/user(auth)/user.model.spec.js

@@ -4,14 +4,9 @@ var should = require('should');
 var app = require('../../app');
 var User = require('./user.model');
 
-var user = new User({
-  provider: 'local',
-  name: 'Fake User',
-  email: 'test@test.com',
-  password: 'password'
-});
-
 describe('User Model', function() {
+  var user;
+
   before(function(done) {
     // Clear users before testing
     User.remove().exec().then(function() {
@@ -20,6 +15,15 @@ describe('User Model', function() {
   });
 
   afterEach(function(done) {
+    // Start from scratch
+    user = new User({
+      provider: 'local',
+      name: 'Fake User',
+      email: 'test@test.com',
+      password: 'password'
+    });
+
+    // Clear all users
     User.remove().exec().then(function() {
       done();
     });
@@ -50,11 +54,34 @@ describe('User Model', function() {
     });
   });
 
-  it("should authenticate user if password is valid", function() {
-    return user.authenticate('password').should.be.true;
+  it("should authenticate user if password is valid", function(done) {
+    user.save(function(err, newUser) {
+      newUser.authenticate('password', function(authErr, authenticated) {
+        authenticated.should.be.true;
+        done();
+      });
+    });
+  });
+
+  it("should not authenticate user if password is invalid", function(done) {
+    user.save(function(err, newUser) {
+      newUser.authenticate('invalidPassword', function(authErr, authenticated) {
+        authenticated.should.not.be.true;
+        done();
+      });
+    });
   });
 
-  it("should not authenticate user if password is invalid", function() {
-    return user.authenticate('blah').should.not.be.true;
+  it("should authenticate after updating password", function(done) {
+    user.save(function(err, newUser) {
+      newUser.password = 'newPassword';
+      newUser.save(function() {
+        newUser.authenticate('newPassword', function(authErr, authenticated) {
+          authenticated.should.be.true;
+          done();
+        });
+      });
+    });
   });
+
 });

app/templates/server/auth(auth)/local/passport.js

@@ -15,11 +15,15 @@ exports.setup = function (User, config) {
         if (!user) {
           return done(null, false, { message: 'This email is not registered.' });
         }
-        if (!user.authenticate(password)) {
-          return done(null, false, { message: 'This password is not correct.' });
-        }
-        return done(null, user);
+        user.authenticate(password, function(authError, authenticated) {
+          if (authError) return done(authError);
+          if (!authenticated) {
+            return done(null, false, { message: 'This password is not correct.' });
+          } else {
+            return done(null, user);
+          }
+        });
       });
     }
   ));
-};
+};