hashed passwords

1 files changed, 34 insertions, 2 deletions

diff --git a/acf/model/aaa.lua b/acf/model/aaa.lua
index d51c10f..8dea542 100644
--- a/acf/model/aaa.lua
+++ b/acf/model/aaa.lua
@@ -4,18 +4,50 @@ See LICENSE file for license details
 --]]
 
 local M = require('acf.model')
+local object = require('acf.object')
+
+local digest = require('crypto').digest
+
 
 Role = M.new()
 Role.permissions = M.Set{type=M.Reference{scope='../../../permissions'}}
 
 
+local function hash_password(algorithm, salt, password)
+   return algorithm..'$'..salt..'$'..digest(algorithm, salt..password)
+end
+
+local hash_pattern = '^(%w+)%$(%w+)%$%x+$'
+
+
+local Password = object.class(M.String)
+
+function Password:_validate(context, value)
+   value = object.super(self, M.String):_validate(context, value)
+   if value:find(hash_pattern) then return value end
+
+   local salt = ''
+   for i = 1,12 do
+      local c = math.random(48, 109)
+      if c > 57 then c = c + 7 end
+      if c > 90 then c = c + 6 end
+      salt = salt..string.char(c)
+   end
+   return hash_password('sha256', salt, value)
+end
+
+
 User = M.new()
-User.password = M.String
+User.password = Password
 User['real-name'] = M.String
 User.superuser = M.Boolean{default=false}
 User.roles = M.Set{type=M.Reference{scope='../../../roles'}}
 
-function User:check_password(password) return password == self.password end
+function User:check_password(password)
+   local _, _, algorithm, salt = self.password:find(hash_pattern)
+   if not salt then return false end
+   return hash_password(algorithm, salt, password) == self.password
+end
 
 function User:check_permission(permission)
    -- TODO audit trail