From 211b70ca3771fb42c5284d5a8565e7a2bad1ac3a Mon Sep 17 00:00:00 2001 From: Lucas Nicodemus Date: Sun, 21 Nov 2021 14:44:53 -0800 Subject: [PATCH] Upgrade blank passwords to bcrypt hashes Previously, blank passwords were not upgraded to bcrypt hashes. This is annoying and problematic because it makes it difficult to remove the old password hashing system because those passwords might still be checked against non-bcrypt hashes. --- CHANGELOG.md | 1 + TShockAPI/DB/UserManager.cs | 6 +----- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 57edca99..6ec260b2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -34,6 +34,7 @@ This is the rolling changelog for TShock for Terraria. Use past tense when addin * Fixed an issue where `/god [player]` would tell `[player]` that they were in godmode regardless of whether or not they were or not. (@hakusaro, @Kojirremer) * In `TSAPI`: Updated `PacketTypes` to support `SetMiscEventValues` (140), `RequestLucyPopup` (141), and `SyncProjectileTrackers` (142). (@hakusaro) * Added `DisableDefaultIPBan` to the config file. If set to `true`, the server will not automatically IP ban players when banning them. This is useful if you run an intercepting proxy in front of TShock, and all players share the same IP. (@hakusaro, and Telegram user xmzzhh233) +* Blank passwords will be upgraded to `bcrypt` hashes automatically. Previously, blank passwords were not upgraded to bcrypt hashes. This is in preparation to remove the old password hashing system and related fallback components in the next release. Most users have been using bcrypt hashes for the past...few years. (@hakusaro) ## TShock 4.5.5 * Changed the world autosave message so that it no longer warns of a "potential lag spike." (@hakusaro) diff --git a/TShockAPI/DB/UserManager.cs b/TShockAPI/DB/UserManager.cs index 4fedaaed..49f6b73c 100644 --- a/TShockAPI/DB/UserManager.cs +++ b/TShockAPI/DB/UserManager.cs @@ -444,15 +444,11 @@ namespace TShockAPI.DB UpgradePasswordWorkFactor(password); return true; } - } + } catch (SaltParseException) { if (String.Equals(HashPassword(password), Password, StringComparison.InvariantCultureIgnoreCase)) { - // Return true to keep blank passwords working but don't convert them to bcrypt. - if (Password == "non-existant password") { - return true; - } // The password is not stored using BCrypt; upgrade it to BCrypt immediately UpgradePasswordToBCrypt(password); return true;