From 1f44e3c694884cf4b5e2b47691ee9d7c6ea80c13 Mon Sep 17 00:00:00 2001
From: baldo <baldo@toppoint.de>
Date: Thu, 14 Jul 2022 10:45:56 +0200
Subject: [PATCH] Added some sanity checks to password hashing scripts.

---
 bin/bcrypt.js       | 14 ++++++++++++--
 bin/check-passwd.sh | 30 ++++++++++++++++++++++++++++++
 bin/mkpasswd.sh     | 33 ++++++++++++++++++++++++++++++---
 3 files changed, 72 insertions(+), 5 deletions(-)
 create mode 100755 bin/check-passwd.sh

diff --git a/bin/bcrypt.js b/bin/bcrypt.js
index 91f342e..1c99fe2 100755
--- a/bin/bcrypt.js
+++ b/bin/bcrypt.js
@@ -5,6 +5,9 @@ const saltRounds = 10;
 
 const stdout = process.stdout
 const stdin = process.stdin
+const argv = process.argv;
+
+const checkHash = argv.length > 2 ? argv[2] : undefined;
 
 let password = '';
 
@@ -19,6 +22,13 @@ process.stdin.on('end', () => {
     if (password[password.length - 1] === '\n') {
         password = password.substring(0, password.length - 1);
     }
-    const hash = bcrypt.hashSync(password, saltRounds);
-    stdout.write(`${hash}\n`);
+
+    if (checkHash !== undefined) {
+        const validPassword = bcrypt.compareSync(password, checkHash);
+        stdout.write(`${validPassword ? 'Valid password' : 'Invalid password'}\n`);
+        process.exit(validPassword ? 0 : 255);
+    } else {
+        const hash = bcrypt.hashSync(password, saltRounds);
+        stdout.write(`${hash}\n`);
+    }
 });
diff --git a/bin/check-passwd.sh b/bin/check-passwd.sh
new file mode 100755
index 0000000..13b05fa
--- /dev/null
+++ b/bin/check-passwd.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+set -e
+
+cd "$(dirname "${BASH_SOURCE[0]}")"
+
+if [[ "$#" -ne 1 ]]; then
+    echo "usage: check-passwd.sh '[password hash]'"
+    exit 1
+fi
+
+password_hash="$1"
+
+if ! [[ "$password_hash" =~ ^\$2[ab]\$[0-9]+\$.{53}$ ]]; then
+    echo "Invalid password hash. Did you forget to quote it in '...'?"
+    exit 1
+fi
+
+while :; do
+    read -sp "Password: " password
+    echo
+
+    if node ./bcrypt.js "$password_hash" <<<"$password"; then
+        break
+    fi
+
+    echo
+    echo "Passwords do not match, try again."
+    echo
+done
diff --git a/bin/mkpasswd.sh b/bin/mkpasswd.sh
index 1a58bf1..067006b 100755
--- a/bin/mkpasswd.sh
+++ b/bin/mkpasswd.sh
@@ -4,20 +4,47 @@ set -e
 
 cd "$(dirname "${BASH_SOURCE[0]}")"
 
+function hash() {
+    local password="$1"
+    node ./bcrypt.js <<<"$password"
+}
+
+function check() {
+    local password="$1"
+    local hash="$2"
+    node ./bcrypt.js "$hash" <<<"$password" > /dev/null
+}
+
 while :; do
     read -sp "Password: " password
     echo
 
+    if [[ -z "$password" ]]; then
+        echo
+        echo "Your input was empty. Pleas provide a password."
+        echo
+        continue
+    fi
+
     read -sp "Confirm:  " confirmation
     echo
 
-    if [[ "$password" == "$confirmation" ]]; then
+    if ! [[ "$password" == "$confirmation" ]]; then
+        echo
+        echo "Passwords do not match, try again."
+        echo
+        continue
+    fi
+
+    password_hash=$(hash "$password")
+    if check "$password" "$password_hash"; then
         break
     fi
 
     echo
-    echo "Passwords do not match, try again."
+    echo "Failed to verify password after hashing. This should not happen."
     echo
 done
 
-exec node ./bcrypt.js <<<"$password"
+echo
+echo "$password_hash"