Skip to content

Commit

Permalink
feat: remove MD5 hash usage
Browse files Browse the repository at this point in the history
Signed-off-by: Oleh Astappiev <[email protected]>
  • Loading branch information
astappiev committed Feb 22, 2024
1 parent 8405863 commit 031cc3a
Show file tree
Hide file tree
Showing 6 changed files with 16 additions and 37 deletions.
9 changes: 7 additions & 2 deletions src/main/java/de/l3s/learnweb/user/LoginBean.java
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,13 @@ public String login() {
BeanAssert.hasPermission(!requestManager.isBanned(username), "username_banned");

// USER AUTHORIZATION HAPPENS HERE
final Optional<User> userOptional = userDao.findByUsernameAndPassword(username, password);
Optional<User> userOptional;
try {
userOptional = userDao.findByUsernameAndPassword(username, password);
} catch (IllegalStateException e) {
addMessage(FacesMessage.SEVERITY_ERROR, "Your password used to be hashed with an old algorithm. Please reset your password.");
return "/lw/user/password.xhtml?faces-redirect=true";
}

if (userOptional.isEmpty()) {
addMessage(FacesMessage.SEVERITY_ERROR, "wrong_username_or_password");
Expand Down Expand Up @@ -167,7 +173,6 @@ public static String rootLogin(ApplicationBean bean, User targetUser) {
public static String loginUser(ApplicationBean bean, User user) {
UserBean userBean = bean.getUserBean();
userBean.setUser(user); // logs the user in
// addMessage(FacesMessage.SEVERITY_INFO, "welcome_username", user.getUsername());

user.updateLoginDate(); // the last login date has to be updated before we log a new login event

Expand Down
2 changes: 1 addition & 1 deletion src/main/java/de/l3s/learnweb/user/RegistrationBean.java
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,7 @@ private void registerUser(final User user) {

if (user.getEmail() != null) {
try {
ImmutableTriple<String, String, InputStream> gravatar = ProfileImageHelper.getGravatarAvatar(HashHelper.md5(user.getEmail()));
ImmutableTriple<String, String, InputStream> gravatar = ProfileImageHelper.getGravatarAvatar(HashHelper.sha256(user.getEmail()));

if (gravatar != null) {
File file = new File(File.FileType.PROFILE_PICTURE, gravatar.getLeft(), gravatar.getMiddle());
Expand Down
3 changes: 1 addition & 2 deletions src/main/java/de/l3s/learnweb/user/User.java
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,6 @@
import de.l3s.mail.MailFactory;
import de.l3s.util.Deletable;
import de.l3s.util.HasId;
import de.l3s.util.HashHelper;
import de.l3s.util.PBKDF2;
import de.l3s.util.ProfileImageHelper;
import de.l3s.util.StringHelper;
Expand Down Expand Up @@ -497,7 +496,7 @@ public void setPasswordRaw(String password) {

public boolean validatePassword(String password) {
if (hashing == PasswordHashing.MD5) {
return this.password.equals(HashHelper.md5(password));
throw new IllegalStateException("MD5 hashing is not supported anymore");
} else if (hashing == PasswordHashing.PBKDF2) {
return PBKDF2.validatePassword(password, this.password);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
import java.io.IOException;
import java.io.InputStream;
import java.util.List;
import java.util.Optional;

import org.apache.commons.lang3.tuple.ImmutableTriple;

Expand Down Expand Up @@ -39,7 +40,7 @@ private void setDefaultAvatars() throws IOException {
if (user.getImageFileId() == 0 && user.getEmail() != null) {
log.debug("Update user: {}", user);

ImmutableTriple<String, String, InputStream> gravatar = ProfileImageHelper.getGravatarAvatar(HashHelper.md5(user.getEmail()));
ImmutableTriple<String, String, InputStream> gravatar = ProfileImageHelper.getGravatarAvatar(HashHelper.sha512(user.getEmail()));

if (gravatar != null) {
File file = new File(File.FileType.PROFILE_PICTURE, gravatar.getLeft(), gravatar.getMiddle());
Expand All @@ -58,8 +59,8 @@ private void setDefaultAvatars() throws IOException {
private void deleteMissingAvatars() {
List<User> users = userDao.findAll();
for (User user : users) {
File file = fileDao.findById(user.getImageFileId(), true).get();
if (null != file && !file.isExists()) {
Optional<File> file = fileDao.findById(user.getImageFileId(), true);
if (file.isPresent() && !file.get().isExists()) {
log.debug("Image file {} of user {} doesn't exist", file, user);
/*
fileDao.deleteHard(file);
Expand Down
17 changes: 0 additions & 17 deletions src/main/java/de/l3s/util/HashHelper.java
Original file line number Diff line number Diff line change
Expand Up @@ -12,23 +12,6 @@
*/
public final class HashHelper {

/**
* Don't use it! :/
*
* @return 32 characters string
*/
public static String md5(String value) {
try {
if (StringUtils.isNotEmpty(value)) {
MessageDigest md = MessageDigest.getInstance("MD5");
byte[] bytes = md.digest(value.getBytes(StandardCharsets.UTF_8));
return String.format("%032x", new BigInteger(1, bytes));
}
} catch (NoSuchAlgorithmException ignore) {
}
return null;
}

/**
* @return 64 characters string
*/
Expand Down
15 changes: 3 additions & 12 deletions src/test/java/de/l3s/util/HashHelperTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -5,24 +5,15 @@
import org.junit.jupiter.api.Test;

class HashHelperTest {
private static final String TEST_VALUE = "[email protected]";

@Test
void hashMd5() {
assertNull(HashHelper.sha512(null));
assertNull(HashHelper.sha512(""));

String hash = HashHelper.md5(TEST_VALUE);
assertEquals("eb2a7c5c436a9f861e510e8593875221", hash);
}
private static final String TEST_VALUE = "test value to hash";

@Test
void hash256() {
assertNull(HashHelper.sha512(null));
assertNull(HashHelper.sha512(""));

String hash = HashHelper.sha256(TEST_VALUE);
assertEquals("1581b7cd5f747ba382b4da5b9851b763596e1d5ba3fb6eca3831ed415db3aacb", hash);
assertEquals("12b263a565322a9bc7ae12a50100cb759caf620575c97c3d05188921625a142c", hash);
}

@Test
Expand All @@ -31,6 +22,6 @@ void hash512() {
assertNull(HashHelper.sha512(""));

String hash = HashHelper.sha512(TEST_VALUE);
assertEquals("7ca8783b55fcd7845176ee7075a38faee3a9a97590a8fb1a39be5132f0008ccd1f810478cbe1bc1ee1df781c6e3cd6c28142bef551052499c43f325821cf5215", hash);
assertEquals("2f6c8b7bcfd764b3ee54b4e85e545b198f2557b8d4f00c5abf2dc431d8c45a1d2b4af1ad2f9137f2a718874b69f4468d2f3645f345d2ccf939e543cb4659187d", hash);
}
}

0 comments on commit 031cc3a

Please sign in to comment.