"Crypto.createHmac" wrong usage #535
Description
Explaination:
One should not use "Crypto.createHmac" to generate an HASH + SALT.
Normally, HMAC is used when you send a message to someone and you want to create an HASH of this message for the integrity and also for the authentication with the preshared key provided.
This is means that the receiver will be able to verify that you sent this message because you share the key with her/him.
For exemple, HMAC is used with JW Token with the HS256 algorithm, it is the same principle.
Risk:
None.
Where is the issue?
src/js/auth.js
How to fix/Recommendation:
I recommend to use Argon2 if you want to create an HASH + SALT:
https://www.npmjs.com/package/argon2
"Crypto.createHmac('sha512', salt)" ---> "await argon2.hash("password")"
"helper.sha512(password, user_entity.salt) and user_entity.passwordHash === hash" ---> "await argon2.verify("big long hash", "password")"
You will need to remove the SALT column inside the admin_user table because Argon2 creates a long string with everything inside (SALT auto generated) such as:
$argon2i$v=19$m=16,t=2,p=1$MmpqN29ta0JZRHM2TVZFQw$BgdsmoSo6kJfNbfEew71uw