change apikey and salt generation to use new php7 cryptographically s…

…ecure random_bytes function
emoncms · Jul 15, 2021 · 31523b9 · 31523b9 · inverse · Jul 16, 2021
1 parent a8dc51e
commit 31523b9
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 8 deletions.
diff --git a/Modules/user/profile/profile.js b/Modules/user/profile/profile.js
@@ -124,6 +124,10 @@ var app = new Vue({
             $.ajax({type:"POST",url: path+"user/deleteall.json", data: "mode=dryrun", dataType: 'text', success: function(result){
                 $("#deleteall-output").html(result);
             }});
+        },
+        new_apikey: function(type) {
+            $("#apikey_type").html(type);
+            $('#modalNewApikey').modal('show');
         }
     }
 });
@@ -161,6 +165,14 @@ $("#logoutdelete").click(function() {
     }});
 });
 
+$("#confirm_generate_apikey").click(function() {
+    var type = $("#apikey_type").html();
+    $.ajax({ url: path+"user/newapikey"+type+".json", dataType: 'json', success: function(result){
+        app.user['apikey_'+type] = result;
+        $('#modalNewApikey').modal('hide');
+    }});
+});
+
 // Theme selection used in conjunction with code in Lib/emoncms.js
 $(".themecolor[name='"+current_themecolor+"']").addClass("color-box-active");
 $(".themecolor").click(function() {

diff --git a/Modules/user/profile/profile.php b/Modules/user/profile/profile.php
@@ -25,6 +25,7 @@
     <tr>
       <td class="muted"><?php echo _('User ID'); ?></td>    
       <td>{{ user.id }}</td>
+      <td></td>
       <td><button class="btn btn-small btn-danger" @click="delete_account()"><?php echo _('Delete account'); ?></button></td>
     </tr>
     <tr>
@@ -37,6 +38,7 @@
         </div>
       </td>
       <td><i class="icon-pencil" v-if="!edit.username" @click="show_edit('username')"></i></td>
+      <td></td>
     </tr>
     <tr>
       <td class="muted"><?php echo _('Email'); ?></td>
@@ -48,16 +50,19 @@
         </div>
       </td>
       <td><i class="icon-pencil" v-if="!edit.email" @click="show_edit('email')"></i></td>
+      <td></td>
     </tr>
     <tr>
       <td class="muted"><?php echo _('Write API Key'); ?></td>    
       <td><div class="apikey">{{ user.apikey_write }}</div></td>
       <td><i class="icon-share" @click="copy_text_to_clipboard(user.apikey_write,'<?php echo _("Write API Key copied to clipboard"); ?>')"></i></td>
+      <td><button class="btn btn-small" @click="new_apikey('write')">Generate New</button></td>
     </tr>
     <tr>
       <td class="muted"><?php echo _('Read API Key'); ?></td>    
       <td><div class="apikey">{{ user.apikey_read }}</div></td>
       <td><i class="icon-share" @click="copy_text_to_clipboard(user.apikey_read,'<?php echo _("Read API Key copied to clipboard"); ?>')"></i></td>
+      <td><button class="btn btn-small" @click="new_apikey('read')">Generate New</button></td>
     </tr>
     <tr>
       <td class="muted"><?php echo _('Password'); ?></td>    
@@ -81,6 +86,7 @@
         </div>
       </td>
       <td><i class="icon-pencil" v-if="!edit.password" @click="show_edit('password')"></i></td>
+      <td></td>
     </tr>
   </table>
 
@@ -231,8 +237,23 @@
     </div>
 </div>
 
+<div id="modalNewApikey" class="modal hide" tabindex="-1" role="dialog" aria-labelledby="modalNewApikeyLabel" aria-hidden="true" data-backdrop="false">
+    <div class="modal-header">
+        <button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button>
+        <h3 id="modalNewApikeyLabel">Generate a new <span id="apikey_type"></span> API key</h3>
+    </div>
+    <div class="modal-body">
+        <p><?php echo _('Are you sure you want to generate a new apikey?'); ?></p>
+        <p><?php echo _("All devices using the current key will need to be updated with the new key."); ?></p>
+    </div>
+    <div class="modal-footer">
+        <button id="cancel_generate_apikey" class="btn" data-dismiss="modal" aria-hidden="true"><?php echo _('Cancel'); ?></button>
+        <button id="confirm_generate_apikey" class="btn btn-primary"><?php echo _('Generate'); ?></button>
+    </div>
+</div>
+
 <script>
 var languages = <?php echo json_encode(get_available_languages_with_names()); ?>;
 var str_passwords_do_not_match = "<?php echo _('Passwords do not match'); ?>";
 </script>
-<script type="text/javascript" src="<?php echo $path; ?>Modules/user/profile/profile.js?v=<?php echo $v; ?>"></script>
+<script type="text/javascript" src="<?php echo $path; ?>Modules/user/profile/profile.js?v=<?php echo $v; ?>"></script>        <p><?php echo _('Are you sure you want to generate a new apikey?'); ?></p>
diff --git a/Modules/user/rememberme_model.php b/Modules/user/rememberme_model.php
@@ -203,7 +203,7 @@ public function loginTokenWasInvalid() {
     // Create a pseudo-random token.
     // ---------------------------------------------------------------------------------------------------------
     private function createToken() {
-            return md5(uniqid(mt_rand(), true));
+            return bin2hex(random_bytes(16));
     }
     // ---------------------------------------------------------------------------------------------------------
     private function getCookieValues()

diff --git a/Modules/user/user_model.php b/Modules/user/user_model.php
@@ -247,11 +247,11 @@ public function register($username, $password, $email, $timezone)
         // If we got here the username, password and email should all be valid
 
         $hash = hash('sha256', $password);
-        $salt = md5(uniqid(mt_rand(), true));
+        $salt = bin2hex(random_bytes(16));
         $password = hash('sha256', $salt . $hash);
 
-        $apikey_write = md5(uniqid(mt_rand(), true));
-        $apikey_read = md5(uniqid(mt_rand(), true));
+        $apikey_write = bin2hex(random_bytes(16));
+        $apikey_read = bin2hex(random_bytes(16));
 
         $stmt = $this->mysqli->prepare("INSERT INTO users ( username, password, email, salt ,apikey_read, apikey_write, timezone, admin) VALUES (?,?,?,?,?,?,?,0)");
         $stmt->bind_param("sssssss", $username, $password, $email, $salt, $apikey_read, $apikey_write, $timezone);
@@ -297,7 +297,7 @@ public function send_verification_email($username)
         if ($email_verified) return array('success'=>false, 'message'=>_("Email already verified"));
 
         // Create new verification key
-        $verification_key = md5(uniqid(mt_rand(), true));
+        $verification_key = bin2hex(random_bytes(16));
         // Save new verification key
         $stmt = $this->mysqli->prepare("UPDATE users SET verification_key=? WHERE id=?");
         $stmt->bind_param("si",$verification_key,$id);
@@ -812,7 +812,7 @@ public function set($userid,$data)
     public function new_apikey_read($userid)
     {
         $userid = (int) $userid;
-        $apikey = md5(uniqid(mt_rand(), true));
+        $apikey = bin2hex(random_bytes(16));
 
         $stmt = $this->mysqli->prepare("UPDATE users SET apikey_read = ? WHERE id = ?");
         $stmt->bind_param("si", $apikey, $userid);
@@ -826,7 +826,7 @@ public function new_apikey_read($userid)
     public function new_apikey_write($userid)
     {
         $userid = (int) $userid;
-        $apikey = md5(uniqid(mt_rand(), true));
+        $apikey = bin2hex(random_bytes(16));
 
         $stmt = $this->mysqli->prepare("UPDATE users SET apikey_write = ? WHERE id = ?");
         $stmt->bind_param("si", $apikey, $userid);