Merge pull request #3698 from cdr/jsjoeio-fix-argon-issue

fix(isHashMatch): check that hash starts with $

Author: jsjoeio

src/node/util.ts

@@ -166,14 +166,13 @@ export const hash = async (password: string): Promise<string> => {
  * Used to verify if the password matches the hash
  */
 export const isHashMatch = async (password: string, hash: string) => {
-  if (password === "" || hash === "") {
+  if (password === "" || hash === "" || !hash.startsWith("$")) {
     return false
   }
   try {
     return await argon2.verify(hash, password)
   } catch (error) {
-    logger.error(error)
-    return false
+    throw new Error(error)
   }
 }
 

test/unit/node/util.test.ts

@@ -189,6 +189,17 @@ describe("isHashMatch", () => {
     const actual = await util.isHashMatch(password, _hash)
     expect(actual).toBe(false)
   })
+  it("should return false and not throw an error if the hash doesn't start with a $", async () => {
+    const password = "hellowpasssword"
+    const _hash = "n2i$v=19$m=4096,t=3,p=1$EAoczTxVki21JDfIZpTUxg$rkXgyrW4RDGoDYrxBFD4H2DlSMEhP4h+Api1hXnGnFY"
+    expect(async () => await util.isHashMatch(password, _hash)).not.toThrow()
+    expect(await util.isHashMatch(password, _hash)).toBe(false)
+  })
+  it("should reject the promise and throw if error", async () => {
+    const password = "hellowpasssword"
+    const _hash = "$ar2i"
+    expect(async () => await util.isHashMatch(password, _hash)).rejects.toThrow()
+  })
 })
 
 describe("hashLegacy", () => {