Version 2.11 release notes
Version 2.11 of Foal is out! Here are the improvements that it brings:
Number of Iterations on Password Hashing Has Been Increased
The PBKDF2 algorithm (used for password hashing) uses a number of iterations to hash passwords. This work factor is deliberate and slows down potential attackers, making attacks against hashed passwords more difficult.
As computing power increases, the number of iterations must also increase. This is why, starting with version 2.11, the number of iterations has been increased to 310,000.
To check that an existing password hash is using the latest recommended number of iterations, you can use the passwordHashNeedsToBeRefreshed
function.
The example below shows how to perform this check during a login and how to upgrade the password hash if the number of iterations turns out to be too low.
const { email, password } = ctx.request.body;
const user = await User.findOne({ email });
if (!user) {
return new HttpResponseUnauthorized();
}
if (!await verifyPassword(password, user.password)) {
return new HttpResponseUnauthorized();
}
// This line must be after the password verification.
if (passwordHashNeedsToBeRefreshed(user.password)) {
user.password = await hashPassword(password);
await user.save();
}
// Log the user in.