feat: implement argon2 and changed session data type to timestamptz

lib/new-admin/graphql/modules/authentication.js

@@ -1,5 +1,5 @@
 const otplib = require('otplib')
-const bcrypt = require('bcrypt')
+const argon2 = require('argon2')
 
 const loginHelper = require('../../services/login')
 const T = require('../../../time')
@@ -14,7 +14,7 @@ const authenticateUser = (username, password) => {
     .then(user => {
       const hashedPassword = user.password
       if (!hashedPassword || !user.enabled) throw new authErrors.InvalidCredentialsError()
-      return Promise.all([bcrypt.compare(password, hashedPassword), hashedPassword])
+      return Promise.all([argon2.verify(hashedPassword, password), hashedPassword])
     })
     .then(([isMatch, hashedPassword]) => {
       if (!isMatch) throw new authErrors.InvalidCredentialsError()
@@ -76,7 +76,7 @@ const get2FASecret = (username, password) => {
   return authenticateUser(username, password)
     .then(user => {
       const secret = otplib.authenticator.generateSecret()
-      const otpauth = otplib.authenticator.keyuri(user.username, 'Lamassu Industries', secret)
+      const otpauth = otplib.authenticator.keyuri(user.username, 'Lamassu', secret)
       return Promise.all([users.saveTemp2FASecret(user.id, secret), secret, otpauth])
     })
     .then(([_, secret, otpauth]) => {
@@ -125,7 +125,7 @@ const validateReset2FALink = token => {
     })
     .then(user => {
       const secret = otplib.authenticator.generateSecret()
-      const otpauth = otplib.authenticator.keyuri(user.username, 'Lamassu Industries', secret)
+      const otpauth = otplib.authenticator.keyuri(user.username, 'Lamassu', secret)
       return Promise.all([users.saveTemp2FASecret(user.id, secret), user, secret, otpauth])
     })
     .then(([_, user, secret, otpauth]) => {

lib/new-admin/graphql/types/transaction.type.js

@@ -47,7 +47,7 @@ const typeDef = gql`
 
   type Query {
     transactions(from: Date, until: Date, limit: Int, offset: Int, deviceId: ID): [Transaction] @auth
-    transactionsCsv(from: Date, until: Date, limit: Int, offset: Int): String
+    transactionsCsv(from: Date, until: Date, limit: Int, offset: Int): String @auth
   }
 `
 

lib/users.js

@@ -1,7 +1,7 @@
 const _ = require('lodash/fp')
 const pgp = require('pg-promise')()
 const crypto = require('crypto')
-const bcrypt = require('bcrypt')
+const argon2 = require('argon2')
 const uuid = require('uuid')
 
 const db = require('./db')
@@ -107,7 +107,7 @@ function createAuthToken (userID, type) {
 function updatePassword (token, id, password) {
   return validateAuthToken(token, 'reset_password').then(res => {
     if (!res.success) throw new Error('Failed to verify password reset token')
-    return bcrypt.hash(password, 12).then(function (hash) {
+    return argon2.hash(password).then(function (hash) {
       return db.tx(t => {
         const q1 = t.none(`UPDATE users SET password=$1 WHERE id=$2`, [hash, id])
         const q2 = t.none(`DELETE FROM user_sessions WHERE sess -> 'user' ->> 'id'=$1`, [id])
@@ -136,7 +136,7 @@ function validateUserRegistrationToken (token) {
 function register (token, username, password, role) {
   return validateUserRegistrationToken(token).then(res => {
     if (!res.success) throw new Error('Failed to verify registration token')
-    return bcrypt.hash(password, 12).then(hash => {
+    return argon2.hash(password).then(hash => {
       return db.tx(t => {
         const q1 = t.none(`INSERT INTO users (id, username, password, role) VALUES ($1, $2, $3, $4)`, [uuid.v4(), username, hash, role])
         const q2 = t.none(`DELETE FROM user_register_tokens WHERE token=$1`, [token])