perf(backend)!: Remove bcrypt, change password hash to crypto

packages/backend/package.json

@@ -42,16 +42,16 @@
   ],
   "peerDependencies": {
     "@nestjs/apollo": "^12",
+    "@nestjs/common": "^10.3.10",
+    "@nestjs/core": "^10.3.10",
     "@nestjs/graphql": "^12",
     "@react-email/components": "^0.0.21",
     "class-validator": "^0.14.1",
     "drizzle-kit": "0.22.8",
     "drizzle-orm": "0.31.4",
     "react": "^19.0.0-rc.0",
     "react-dom": "^19.0.0-rc.0",
-    "typescript": "^5.5.3",
-    "@nestjs/core": "^10.3.10",
-    "@nestjs/common": "^10.3.10"
+    "typescript": "^5.5.3"
   },
   "dependencies": {
     "@apollo/server": "^4.10.4",
@@ -64,7 +64,6 @@
     "@react-email/render": "^0.0.16",
     "@swc/cli": "^0.4.0",
     "@swc/core": "^1.6.13",
-    "bcrypt": "^5.1.1",
     "busboy": "^1.6.0",
     "cookie-parser": "^1.4.6",
     "helmet": "^7.1.0",
@@ -77,11 +76,10 @@
     "vitnode-shared": "workspace:*"
   },
   "devDependencies": {
-    "@nestjs/graphql": "^12.2.0",
     "@nestjs/common": "^10.3.10",
     "@nestjs/core": "^10.3.10",
+    "@nestjs/graphql": "^12.2.0",
     "@react-email/components": "^0.0.21",
-    "@types/bcrypt": "^5.0.2",
     "@types/busboy": "^1.5.4",
     "@types/cookie-parser": "^1.4.7",
     "@types/express": "^4.17.21",
@@ -91,12 +89,12 @@
     "@types/object-path": "^0.11.4",
     "@types/pg": "^8.11.6",
     "@types/react": "^18.3.3",
-    "class-validator": "^0.14.1",
     "class-transformer": "^0.5.1",
+    "class-validator": "^0.14.1",
     "concurrently": "^8.2.2",
+    "dotenv": "^16.4.5",
     "drizzle-kit": "^0.22.8",
     "drizzle-orm": "^0.31.4",
-    "dotenv": "^16.4.5",
     "eslint-config-typescript-vitnode": "workspace:*",
     "express": "^4.19.2",
     "graphql": "^16.9.0",

packages/backend/src/app.module.ts

@@ -119,8 +119,6 @@ const config = () => {
     login_token_secret: process.env.LOGIN_TOKEN_SECRET ?? '',
     frontend_url: frontend_url.url,
     port: parseInt(process.env.PORT, 10) || 8080,
-    password_salt: 10,
-    password_reset_salt: 9,
     cookies: {
       domain:
         frontend_url.hostname === 'localhost'

packages/backend/src/core/members/reset_password/change_password/change_password.service.ts

@@ -1,23 +1,19 @@
 import { Injectable } from '@nestjs/common';
-import { ConfigService } from '@nestjs/config';
 import { eq } from 'drizzle-orm';
 
 import { ChangePasswordCoreMembersArgs } from './dto/change_password.args';
 
 import { DatabaseService } from '@/utils/database/database.service';
 import { User } from '@/decorators';
-import { encryptPassword } from '@/core/sessions/encrypt_password';
+import { encryptPassword } from '@/core/sessions/password';
 import {
   core_users,
   core_users_pass_reset,
 } from '@/plugins/core/admin/database/schema/users';
 
 @Injectable()
 export class ChangePasswordCoreMembersService {
-  constructor(
-    private readonly databaseService: DatabaseService,
-    private readonly configService: ConfigService,
-  ) {}
+  constructor(private readonly databaseService: DatabaseService) {}
 
   async change_password({
     hashKey,
@@ -29,7 +25,7 @@ export class ChangePasswordCoreMembersService {
       });
 
     const id = keyData.user_id;
-    const hashPassword = await encryptPassword(this.configService, password);
+    const hashPassword = await encryptPassword(password);
 
     const update = await this.databaseService.db
       .update(core_users)

packages/backend/src/core/members/reset_password/create_key/create_key.service.ts

@@ -1,22 +1,19 @@
 import { Inject, Injectable } from '@nestjs/common';
-import { genSalt, hash } from 'bcrypt';
-import { generateRandomString } from 'vitnode-shared';
-import { ConfigService } from '@nestjs/config';
+// import { generateRandomString } from 'vitnode-shared';
 
 import { CreateKeyResetPasswordCoreMembersArgs } from './dto/create_key.args';
 import { ContentCreateKeyEmail } from './_email/content';
 
 import { DatabaseService } from '@/utils/database/database.service';
 import { NotFoundError } from '@/errors';
-import { core_users_pass_reset } from '@/plugins/core/admin/database/schema/users';
+// import { core_users_pass_reset } from '@/plugins/core/admin/database/schema/users';
 import { SendAdminEmailService } from '../../../admin/email/send/send.service';
 import { EmailHelpersServiceType, getTranslationForEmail } from '@/providers';
 
 @Injectable()
 export class CreateKeyResetPasswordCoreMembersService {
   constructor(
     private readonly databaseService: DatabaseService,
-    private readonly configService: ConfigService,
     private readonly mailService: SendAdminEmailService,
     @Inject('EmailHelpersService')
     private readonly emailHelpersService: EmailHelpersServiceType,
@@ -33,16 +30,16 @@ export class CreateKeyResetPasswordCoreMembersService {
       throw new NotFoundError('User');
     }
 
-    const key = generateRandomString(32);
-    const keySalt = await genSalt(
-      this.configService.getOrThrow('password_reset_salt'),
-    );
-    const hashKey = await hash(key, keySalt);
-    await this.databaseService.db.insert(core_users_pass_reset).values({
-      user_id: user.id,
-      key: hashKey,
-      expires: new Date(Date.now() + 1000 * 60 * 60), // 1 hour
-    });
+    // const key = generateRandomString(32);
+    // const keySalt = await genSalt(
+    //   this.configService.getOrThrow('password_reset_salt'),
+    // );
+    // const hashKey = await hash(key, keySalt);
+    // await this.databaseService.db.insert(core_users_pass_reset).values({
+    //   user_id: user.id,
+    //   key: hashKey,
+    //   expires: new Date(Date.now() + 1000 * 60 * 60), // 1 hour
+    // });
 
     const t = getTranslationForEmail('core.reset_password', user.language);
 
@@ -52,7 +49,7 @@ export class CreateKeyResetPasswordCoreMembersService {
       message: ContentCreateKeyEmail({
         language: user.language,
         helpers: this.emailHelpersService.getHelpersForEmail(),
-        key: hashKey,
+        key: '',
       }),
       preview_text: t('preview_text'),
       user,

packages/backend/src/core/sessions/password.ts

@@ -0,0 +1,28 @@
+import crypto from 'crypto';
+
+async function encryptPassword(password: string): Promise<string> {
+  return new Promise((resolve, reject) => {
+    const salt = crypto.randomBytes(8).toString('hex');
+
+    crypto.scrypt(password, salt, 64, (err, derivedKey) => {
+      if (err) reject(err);
+
+      resolve(salt + ':' + derivedKey.toString('hex'));
+    });
+  });
+}
+
+async function verifyPassword(
+  password: string,
+  hash: string,
+): Promise<boolean> {
+  return new Promise((resolve, reject) => {
+    const [salt, key] = hash.split(':');
+    crypto.scrypt(password, salt, 64, (err, derivedKey) => {
+      if (err) reject(err);
+      resolve(key == derivedKey.toString('hex'));
+    });
+  });
+}
+
+export { encryptPassword, verifyPassword };

packages/backend/src/core/sessions/sign_in/sign_in.service.ts

@@ -1,11 +1,11 @@
 import { Injectable } from '@nestjs/common';
-import { compare } from 'bcrypt';
 import { JwtService } from '@nestjs/jwt';
 import { ConfigService } from '@nestjs/config';
 import { and, eq } from 'drizzle-orm';
 
 import { SignInCoreSessionsArgs } from './dto/sign_in.args';
 import { DeviceSignInCoreSessionsService } from './device.service';
+import { verifyPassword } from '../password';
 
 import { GqlContext } from '../../../utils';
 import { DatabaseService } from '@/utils/database/database.service';
@@ -182,7 +182,7 @@ export class SignInCoreSessionsService {
     });
     if (!user) throw new AccessDeniedError();
 
-    const validPassword = await compare(password, user.password);
+    const validPassword = await verifyPassword(password, user.password);
     if (!validPassword) throw new AccessDeniedError();
 
     // If admin mode is enabled, check if user has access to admin cp

packages/backend/src/core/sessions/sign_up/sign_up.service.ts

@@ -6,7 +6,7 @@ import { removeSpecialCharacters } from 'vitnode-shared';
 import { SignUpCoreSessionsArgs } from './dto/sign_up.args';
 import { SignUpCoreSessionsObj } from './dto/sign_up.obj';
 import { AvatarColorService } from './helpers/avatar-color.service';
-import { encryptPassword } from '../encrypt_password';
+import { encryptPassword } from '../password';
 
 import { CaptchaCoreCaptchaSecurityService } from '@/core/admin/security/captcha/captcha.service';
 import { DatabaseService } from '@/utils/database/database.service';
@@ -83,7 +83,7 @@ export class SignUpCoreSessionsService extends AvatarColorService {
       });
     }
 
-    const hashPassword = await encryptPassword(this.configService, password);
+    const hashPassword = await encryptPassword(password);
 
     const user = await this.databaseService.db
       .insert(core_users)

packages/frontend/src/components/ui/form.tsx

@@ -13,8 +13,8 @@ import {
   useFormContext,
 } from 'react-hook-form';
 import { useTranslations } from 'next-intl';
-import { useBeforeUnload } from '@/helpers/use-before-unload';
 
+import { useBeforeUnload } from '@/helpers/use-before-unload';
 import { Label } from './label';
 import { useDialog } from './dialog';
 

packages/frontend/src/hooks/core/sign/up/use-sign-up-view.ts

@@ -81,6 +81,8 @@ export const useSignUpView = () => {
     } catch (err) {
       const error = err as ErrorType | undefined;
 
+      console.log('error', error);
+
       if (error?.extensions) {
         const { code } = error.extensions;