Save bcrypt password checks s in local memory (#6)

https://security.stackexchange.com/questions/10520/is-it-safe-or-even-common-to-cache-bcrypt-checks-in-memory/10522#10522
alexandrainst · Oct 17, 2023 · f621c92 · f621c92
1 parent 42018e1
commit f621c92
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -5,8 +5,14 @@
 This Node-RED module performs [HTTP Basic authentication](https://developer.mozilla.org/docs/Web/HTTP/Authentication).
 It is to be used in conjunction with an [HTTP Input node](https://cookbook.nodered.org/http/create-an-http-endpoint).
 
-Supports [bcrypt](https://en.wikipedia.org/wiki/Bcrypt) to store passwords
-(such as in the [Apache password format](https://httpd.apache.org/docs/current/misc/password_encryptions.html)).
+In other words, it allows putting a password on a Node-RED HTTP listener node.
+
+Note that this standard protocol sends passwords in plain-text by design, so HTTPS is required to ensure the security of the transmission.
+
+Supports [bcrypt](https://en.wikipedia.org/wiki/Bcrypt) to store passwords on disc
+(such as in the [Apache htpasswd format](https://httpd.apache.org/docs/current/misc/password_encryptions.html)).
+Note that this node will cache the bcrypt checks in memory (until the flow is redeployed / restarted)
+to improve performance (bcrypt is slow by design, to protect passwords on disc).
 
 ## Example
 

diff --git a/nodes/http-auth.js b/nodes/http-auth.js
@@ -7,6 +7,12 @@ try {
 	bcrypt = require('bcryptjs');
 }
 
+/**
+ * Cache in local memory the bcrypt decryption (which is very slow by design).
+ * Reset when the flow is redeployed or restarted.
+ */
+const bcryptCache = {};
+
 function passwordCompare(plain, hash) {
 	if (plain == '' || hash == '') {
 		return false;
@@ -18,7 +24,17 @@ function passwordCompare(plain, hash) {
 	// Compatibility work-around for 'bcrypt' library
 	hash = hash.replace(/^\$2[x|y]\$/, '$2b$');
 
-	return bcrypt.compareSync(plain, hash);
+	if (plain === bcryptCache[hash]) {
+		return true;
+	}
+
+	const success = bcrypt.compareSync(plain, hash);
+
+	if (success) {
+		bcryptCache[hash] = plain;
+	}
+
+	return success;
 }
 
 function basicAuth(authStr, node, msg) {

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "@alexandrainst/node-red-http-basic-auth",
-	"version": "3.0.0",
+	"version": "3.1.0",
 	"description": "Node-RED node for HTTP Basic Authorization",
 	"keywords": [
 		"node-red",
@@ -9,6 +9,9 @@
 		"basic",
 		"auth",
 		"authorization",
+		"access",
+		"htpasswd",
+		"password",
 		"rfc2617",
 		"rfc7617"
 	],

diff --git a/test.sh b/test.sh
@@ -3,6 +3,7 @@
 test=$(
 	cat <<'EOF' | node ./index.js http-basic-auth --realm='"node-red"' --username='"test"' --password='"$2y$10$5TSZDldoJ7MxDZdtK/SG2O3cwORqLDhHabYlKX9OsM.W/Z/oLwKW6"'
 {"req":{"headers":{"authorization":"Basic dGVzdDp0ZXN0"}}}
+{"req":{"headers":{"authorization":"Basic dGVzdDp0ZXN0"}}}
 EOF
 )