From df312009b873ce139ded4292c4ff5b1684c318cf Mon Sep 17 00:00:00 2001 From: Kibi Kelburton Date: Fri, 22 May 2026 15:34:23 +0200 Subject: [PATCH] attempting to fix legacy user accounts with less than 20 characters. --- public/s/js/f0ckm.js | 2 +- src/inc/lib.mjs | 28 ++++++++++++++++++++++++---- views/login.html | 2 +- views/snippets/footer.html | 2 +- views/snippets/navbar.html | 2 +- 5 files changed, 28 insertions(+), 8 deletions(-) diff --git a/public/s/js/f0ckm.js b/public/s/js/f0ckm.js index 6d1c971..ea46cd7 100644 --- a/public/s/js/f0ckm.js +++ b/public/s/js/f0ckm.js @@ -525,7 +525,7 @@ window.cancelAnimFrame = (function () { const formData = new FormData(loginForm); const params = new URLSearchParams(formData); - if (formData.get('password') && formData.get('password').length < 10) { + if (!formData.get('password')) { let errDiv = loginForm.querySelector('.flash-error'); if (!errDiv) { errDiv = document.createElement('div'); diff --git a/src/inc/lib.mjs b/src/inc/lib.mjs index 893840a..eb5fb53 100644 --- a/src/inc/lib.mjs +++ b/src/inc/lib.mjs @@ -183,10 +183,30 @@ export default new class { return "$f0ck$" + salt + ":" + derivedKey.toString("hex"); }; async verify(str, hash) { - const [salt, key] = hash.substring(6).split(":"); - const keyBuffer = Buffer.from(key, "hex"); - const derivedKey = await scrypt(str, salt, 64); - return crypto.timingSafeEqual(keyBuffer, derivedKey); + if (typeof hash !== 'string') return false; + + if (hash.startsWith("$f0ck$")) { + const parts = hash.substring(6).split(":"); + if (parts.length !== 2) return false; + const [salt, key] = parts; + try { + const keyBuffer = Buffer.from(key, "hex"); + const derivedKey = await scrypt(str, salt, 64); + return crypto.timingSafeEqual(keyBuffer, derivedKey); + } catch (e) { + return false; + } + } + + if (hash.length === 32) { + return this.md5(str) === hash; + } + + if (hash.length === 64) { + return this.sha256(str) === hash; + } + + return false; }; async getTags(itemid) { const tags = await db` diff --git a/views/login.html b/views/login.html index ac2145e..d4d07b5 100644 --- a/views/login.html +++ b/views/login.html @@ -14,7 +14,7 @@
{{ error }}
@endif - +

@if(smtp_enabled) diff --git a/views/snippets/footer.html b/views/snippets/footer.html index ce81b0c..552a5c9 100644 --- a/views/snippets/footer.html +++ b/views/snippets/footer.html @@ -195,7 +195,7 @@ loginForm.addEventListener('submit', async (e) => { e.preventDefault(); const formData = new FormData(loginForm); - if (formData.get('password') && formData.get('password').length < 20) { + if (!formData.get('password')) { let errDiv = loginForm.querySelector('.flash-error'); if (!errDiv) { errDiv = document.createElement('div'); errDiv.className = 'flash-error'; loginForm.insertBefore(errDiv, loginForm.firstChild); } errDiv.textContent = 'Invalid username or password.'; diff --git a/views/snippets/navbar.html b/views/snippets/navbar.html index 3bb6d2b..350bd80 100644 --- a/views/snippets/navbar.html +++ b/views/snippets/navbar.html @@ -220,7 +220,7 @@

{{ t('auth.login_title') }}

- +