hash device codes

2026-02-10 20:02:26 +00:00 · 2025-11-03 17:03:46 -08:00
parent 5746d69f98
commit 0790f37f5e
3 changed files with 40 additions and 4 deletions
--- a/server/routers/auth/pollDeviceWebAuth.ts
+++ b/server/routers/auth/pollDeviceWebAuth.ts
@@ -11,6 +11,8 @@ import {
    createSession,
    generateSessionToken
 } from "@server/auth/sessions/app";
+import { encodeHexLowerCase } from "@oslojs/encoding";
+import { sha256 } from "@oslojs/crypto/sha2";

 const paramsSchema = z.object({
    code: z.string().min(1, "Code is required")
@@ -18,6 +20,13 @@ const paramsSchema = z.object({

 export type PollDeviceWebAuthParams = z.infer<typeof paramsSchema>;

+// Helper function to hash device code before querying database
+function hashDeviceCode(code: string): string {
+    return encodeHexLowerCase(
+        sha256(new TextEncoder().encode(code))
+    );
+}
+
 export type PollDeviceWebAuthResponse = {
    verified: boolean;
    token?: string;
@@ -68,11 +77,14 @@ export async function pollDeviceWebAuth(
        const now = Date.now();
        const requestIp = extractIpFromRequest(req);

+        // Hash the code before querying
+        const hashedCode = hashDeviceCode(code);
+
        // Find the code in the database
        const [deviceCode] = await db
            .select()
            .from(deviceWebAuthCodes)
-            .where(eq(deviceWebAuthCodes.code, code))
+            .where(eq(deviceWebAuthCodes.code, hashedCode))
            .limit(1);

        if (!deviceCode) {
--- a/server/routers/auth/startDeviceWebAuth.ts
+++ b/server/routers/auth/startDeviceWebAuth.ts
@@ -10,6 +10,8 @@ import { alphabet, generateRandomString } from "oslo/crypto";
 import { createDate } from "oslo";
 import { TimeSpan } from "oslo";
 import { maxmindLookup } from "@server/db/maxmind";
+import { encodeHexLowerCase } from "@oslojs/encoding";
+import { sha256 } from "@oslojs/crypto/sha2";

 const bodySchema = z.object({
    deviceName: z.string().optional(),
@@ -30,6 +32,13 @@ function generateDeviceCode(): string {
    return `${part1}-${part2}`;
 }

+// Helper function to hash device code before storing in database
+function hashDeviceCode(code: string): string {
+    return encodeHexLowerCase(
+        sha256(new TextEncoder().encode(code))
+    );
+}
+
 // Helper function to extract IP from request
 function extractIpFromRequest(req: Request): string | undefined {
    const ip = req.ip || req.socket.remoteAddress;
@@ -99,6 +108,9 @@ export async function startDeviceWebAuth(
        // Generate device code
        const code = generateDeviceCode();

+        // Hash the code before storing in database
+        const hashedCode = hashDeviceCode(code);
+
        // Extract IP from request
        const ip = extractIpFromRequest(req);

@@ -108,9 +120,9 @@ export async function startDeviceWebAuth(
        // Set expiration to 5 minutes from now
        const expiresAt = createDate(new TimeSpan(5, "m")).getTime();

-        // Insert into database
+        // Insert into database (store hashed code)
        await db.insert(deviceWebAuthCodes).values({
-            code,
+            code: hashedCode,
            ip: ip || null,
            city: city || null,
            deviceName: deviceName || null,
--- a/server/routers/auth/verifyDeviceWebAuth.ts
+++ b/server/routers/auth/verifyDeviceWebAuth.ts
@@ -7,12 +7,21 @@ import logger from "@server/logger";
 import { response } from "@server/lib/response";
 import { db, deviceWebAuthCodes } from "@server/db";
 import { eq, and, gt } from "drizzle-orm";
+import { encodeHexLowerCase } from "@oslojs/encoding";
+import { sha256 } from "@oslojs/crypto/sha2";

 const bodySchema = z.object({
    code: z.string().min(1, "Code is required"),
    verify: z.boolean().optional().default(false) // If false, just check and return metadata
 }).strict();

+// Helper function to hash device code before querying database
+function hashDeviceCode(code: string): string {
+    return encodeHexLowerCase(
+        sha256(new TextEncoder().encode(code))
+    );
+}
+
 export type VerifyDeviceWebAuthBody = z.infer<typeof bodySchema>;

 export type VerifyDeviceWebAuthResponse = {
@@ -49,13 +58,16 @@ export async function verifyDeviceWebAuth(

        logger.debug("Verifying device web auth code:", { code });

+        // Hash the code before querying
+        const hashedCode = hashDeviceCode(code);
+
        // Find the code in the database that is not expired and not already verified
        const [deviceCode] = await db
            .select()
            .from(deviceWebAuthCodes)
            .where(
                and(
-                    eq(deviceWebAuthCodes.code, code),
+                    eq(deviceWebAuthCodes.code, hashedCode),
                    gt(deviceWebAuthCodes.expiresAt, now),
                    eq(deviceWebAuthCodes.verified, false)
                )