Fix: close #26

Finally I figured out a backward compatible solution of password verification

Author: winderica

packages/backend/src/services/auth.service.ts

@@ -5,7 +5,7 @@ import { Role } from '@constants/enums';
 import { JwtPayload } from '@interfaces/jwt.interface';
 import { CandidatesService } from '@services/candidates.service';
 import { UsersService } from '@services/users.service';
-import { verify } from '@utils/scrypt';
+import { backwardCompatibleVerify, verify } from '@utils/scrypt';
 
 @Injectable()
 export class AuthService {
@@ -20,7 +20,11 @@ export class AuthService {
         const user = await this.usersService.findIdentityByPhone(phone);
         if (user) {
             const { password: { hash, salt }, id } = user;
-            if (await verify(hash, salt, password)) {
+            if (Buffer.from(salt, 'base64').length !== 16 && await verify(hash, salt, password)) {
+                return id;
+            } else if (await backwardCompatibleVerify(Buffer.from(hash, 'base64').toString(), salt, password)) {
+                user.password = await this.usersService.hashPassword(password);
+                await user.save();
                 return id;
             }
         }

packages/backend/src/services/users.service.ts

@@ -17,7 +17,7 @@ export class UsersService extends BasicCRUDService<UserEntity> {
         super(repository);
     }
 
-    findIdentityByPhone(phone: string): Promise<Pick<UserEntity, 'id' | 'password'> | undefined> {
+    findIdentityByPhone(phone: string) {
         return this.findOne(
             {
                 phone,

packages/backend/src/utils/migrate.ts

@@ -88,8 +88,11 @@ export const migrate = async (app: INestApplication) => {
     await recruitmentsService.clear();
     await usersService.clear();
     await Promise.all(users.map(async (
-        { weChatID, avatar, gender, group, isAdmin, isCaptain, joinTime, mail, phone, username },
+        { weChatID, avatar, gender, group, isAdmin, isCaptain, joinTime, mail, phone, username, password },
     ) => {
+        if (password) {
+            password.hash = Buffer.from(password.hash).toString('base64');
+        }
         joinTime = joinTime === '2018年3月' ? '2018S' // two lucky guys
             : joinTime === '2017日常招新' ? '2017A' // this kind of recruitments are not supported yet
                 : joinTime.replaceAll('年', '');
@@ -105,7 +108,7 @@ export const migrate = async (app: INestApplication) => {
             avatar: avatar || undefined,
             isAdmin,
             isCaptain,
-            password: await hash(randomBytes(512).toString('hex')),
+            password: password || await hash(randomBytes(512).toString('hex')),
         });
     }));
     await Promise.all(recruitments.map(async (

packages/backend/src/utils/scrypt.ts

@@ -6,7 +6,7 @@ interface ScryptResult {
 }
 
 export const hash = (password: string) => new Promise<ScryptResult>((resolve, reject) => {
-    const salt = randomBytes(16);
+    const salt = randomBytes(32);
     scrypt(password, salt, 64, (err, derivedKey) => {
         if (err) {
             return reject(err);
@@ -18,6 +18,17 @@ export const hash = (password: string) => new Promise<ScryptResult>((resolve, re
     });
 });
 
+// TODO: deprecate it in v4
+export const backwardCompatibleVerify = (hash: string, salt: string, password: string) =>
+    new Promise<boolean>((resolve, reject) => {
+        scrypt(password, salt, 64, (err, derivedKey) => {
+            if (err) {
+                return reject(err);
+            }
+            return resolve(derivedKey.toString() === hash);
+        });
+    });
+
 export const verify = (hash: string, salt: string, password: string) => new Promise<boolean>((resolve, reject) => {
     scrypt(password, Buffer.from(salt, 'base64'), 64, (err, derivedKey) => {
         if (err) {