bug: Auth doesn't work properly
ovidiuvio opened this issue · 8 comments
Bug Report
ZeroUI version:
latest
Current behavior:
The password hashing algorithm seems to be producing a random hash on every execution.
This causes the auth verifyHash to missmatch with the hash stored in db.json.
Please see the attached screenshot that logs the stored password and the hash computed for the entered password.
Hello, @ovidiuvio.
That seems strange. Did you use the latest docker image?
Hello, @ovidiuvio. That seems strange. Did you use the latest docker image?
Yes, this is with the latest image.
Also I've tried some sample code on an other ubuntu machine, using the same hashing library.
It behaves in the same way: it produces a different hash at every run
DISCLAIMER: I am not a js developer :) I just learned a bit now to debug this
I've used the following sample code:
const crypto = require("crypto");
const hashPassword = require("pbkdf2-wrapper/hashText");
const config = {
encoding: 'hex',
digest: 'sha256',
hashBytes: 32,
saltBytes: 16,
iterations: 372791
}
const pass = async function () {
const hash = await hashPassword('testpass', config);
console.log(hash);
};
On my machine, I've replaced the salt based library with sha256, seems to work fine for me now
https://www.npmjs.com/package/js-sha256
var sha256 = require('js-sha256');
const db = require("../utils/db");
exports.authorize = authorize;
async function authorize(username, password, callback) {
try {
var users = await db.get("users");
} catch (err) {
throw err;
}
const user = users.find({ username: username });
console.log(username);
console.log(password);
console.log(user.value()["password_hash"]);
const hash = sha256(password);
console.log(hash);
if (!user.value()) return callback(new Error("Cannot find user"));
const verified = (hash == user.value()["password_hash"]);
if (verified) {
return callback(null, user.value());
} else {
return callback(new Error("Invalid password"));
}
}
Probably needs to be added in the init script as well
I suppose that every time the new salt is generated, that is not a problem. Currently, if you'd like to change ZeroUI password, you should remove the entry of the password manually to generate the new hash based on the environmental variable.
The salt is added in the beginning of the hash string.
@dec0dOS I didn't change anything. I've setup the container a few days back, I was able to auth, but now the password didn't work anymore.
Btw I am not running this using docker compose, I am just running the UI controller as a standalone docker container.
Does the db.json file needs to be updated every time the container is restarted or something like that ?
No, it should work without updating the db.json file every time. I did not test the standalone docker container, but I couldn't find even a single reason why it should not work as expected with the single container. That is strange.
Thanks for report, please try to set up via the docker-compose file provided in the repo and let me know the result.
Ok, short update:
I've done a fresh install, tested around a bit and it is not reproducing anymore.
I did check on the broken setup that I was using the user and pass set in ZU_DEFAULT_* variables
I am not sure what actually went wrong here.
We can close this for now, and in case it happens again I'll share the setup with you privately.
Thank you for the quick responses!
For reference, this is the command line I've used to run the container as standalone:
sudo docker run -t -d --restart unless-stopped -v /var/lib/zerotier-one:/var/lib/zerotier-one -v /var/lib/zt-controller:/app/backend/data -e ZU_CONTROLLER_ENDPOINT='http://172.17.0.1:9993/' -e ZU_SECURE_HEADERS='false' -e ZU_DEFAULT_USERNAME='admin' -e ZU_DEFAULT_PASSWORD='zeroui' -p 4000:4000 --name zt-ui dec0dos/zero-ui:latest
Also, the following was added to zerotier local.conf
{"settings": {"portMappingEnabled": true,"softwareUpdate": "disable","allowManagementFrom": ["127.0.0.1"]}}