fix: update salt separator

supabase · Sep 25, 2024 · 01bf033 · 01bf033
1 parent c437900
commit 01bf033
Showing 1 changed file with 15 additions and 39 deletions.
diff --git a/internal/crypto/password.go b/internal/crypto/password.go
@@ -77,8 +77,8 @@ type FirebaseScryptHashInput struct {
 	memory        uint64
 	rounds        uint64
 	threads       uint64
-	saltSeparator string
-	signerKey     string
+	saltSeparator []byte
+	signerKey     []byte
 	salt          []byte
 	rawHash       []byte
 }
@@ -136,21 +136,13 @@ func ParseFirebaseScryptHash(hash string) (*FirebaseScryptHashInput, error) {
 		return nil, fmt.Errorf("crypto: Firebase scrypt salt has invalid base64 in the hash section %w", err)
 	}
 
-	// var saltSeparator, signerKey []byte
-	// if ss != "" {
-	// 	saltSeparator, err = base64.StdEncoding.DecodeString(ss)
-	// 	if err != nil {
-	// 	return nil, err
-	// }
-
-	// }
-	// if sk != "" {
-	// 		signerKey, err = base64.StdEncoding.DecodeString(sk)
-	// 	if err != nil {
-	// 	return nil, err
-	// }
-
-	// }
+	var saltSeparator, signerKey []byte
+	if signerKey, err = base64.StdEncoding.DecodeString(sk); err != nil {
+		return nil, err
+	}
+	if saltSeparator, err = base64.StdEncoding.DecodeString(ss); err != nil {
+		return nil, err
+	}
 
 	input := &FirebaseScryptHashInput{
 		alg:           alg,
@@ -160,8 +152,8 @@ func ParseFirebaseScryptHash(hash string) (*FirebaseScryptHashInput, error) {
 		threads:       threads,
 		salt:          salt,
 		rawHash:       rawHash,
-		saltSeparator: ss,
-		signerKey:     sk,
+		saltSeparator: saltSeparator,
+		signerKey:     signerKey,
 	}
 
 	return input, nil
@@ -286,7 +278,7 @@ func compareHashAndPasswordFirebaseScrypt(ctx context.Context, hash, password st
 		attribute.Int64("r", int64(input.rounds)),
 		attribute.Int("p", int(input.threads)),
 		attribute.Int("len", len(input.rawHash)),
-	}
+	} // #nosec G115
 
 	var match bool
 	var derivedKey []byte
@@ -298,7 +290,7 @@ func compareHashAndPasswordFirebaseScrypt(ctx context.Context, hash, password st
 
 	switch input.alg {
 	case "fbscrypt":
-		const keyLen = 32
+		const keyLen = 32 // Default length
 		derivedKey, err = firebaseScrypt([]byte(password), input.salt, input.signerKey, input.saltSeparator, input.memory, input.rounds, input.threads, keyLen)
 		if err != nil {
 			return err
@@ -316,24 +308,8 @@ func compareHashAndPasswordFirebaseScrypt(ctx context.Context, hash, password st
 	return nil
 }
 
-func firebaseScrypt(password, salt []byte, signerKey, saltSeparator string, memCost, rounds, p, keyLen uint64) ([]byte, error) {
-	var (
-		sk, ss []byte
-		err    error
-	)
-
-	if sk, err = base64.StdEncoding.DecodeString(signerKey); err != nil {
-		return nil, err
-	}
-	if ss, err = base64.StdEncoding.DecodeString(saltSeparator); err != nil {
-		return nil, err
-	}
-
-	return key(password, salt, sk, ss, memCost, rounds, p, keyLen)
-}
-
-func key(password, salt, signerKey, saltSeparator []byte, memCost, rounds, p, keyLen uint64) ([]byte, error) {
-	ck, err := scrypt.Key(password, append(salt, saltSeparator...), int(memCost), int(rounds), int(p), int(keyLen))
+func firebaseScrypt(password, salt, signerKey, saltSeparator []byte, memCost, rounds, p, keyLen uint64) ([]byte, error) {
+	ck, err := scrypt.Key(password, append(salt, saltSeparator...), int(memCost), int(rounds), int(p), int(keyLen)) // #nosec G115
 	if err != nil {
 		return nil, err
 	}