Merge pull request #31 from fuzziecoder/codex/fix-issue-#26-by-migrating-to-db-aljyuy

fuzziecoder · web-flow · commit af477ba1f17e · 2026-02-20T20:25:41.000+05:30
Secure backend: scrypt password hashing and legacy migration (Issue #28)
diff --git a/backend/README.md b/backend/README.md
@@ -19,6 +19,11 @@ Server starts at `http://localhost:4000` by default.
 - On first start, seed data is inserted for users, spots, catalog items, and a sample order.
 - New orders are validated against DB data (known `spotId`, `userId`, `productId`) and item pricing is always derived from catalog prices in the database.
 
+### Issue #28: Secure credential storage and verification
+
+- Passwords are stored as salted `scrypt` hashes (not plaintext).
+- Legacy plaintext user passwords are auto-migrated to hashed values on successful login.
+
 ## Available endpoints
 
 - `GET /api/health`
diff --git a/backend/db.js b/backend/db.js
@@ -1,6 +1,6 @@
 import { existsSync, mkdirSync } from 'node:fs';
 import { dirname, resolve } from 'node:path';
-import { randomUUID } from 'node:crypto';
+import { randomBytes, randomUUID, scryptSync, timingSafeEqual } from 'node:crypto';
 import { DatabaseSync } from 'node:sqlite';
 
 const defaultDbPath = resolve(process.cwd(), 'backend', 'data', 'brocode.sqlite');
@@ -15,6 +15,30 @@ const db = new DatabaseSync(dbPath);
 db.exec('PRAGMA journal_mode = WAL;');
 db.exec('PRAGMA foreign_keys = ON;');
 
+const HASH_PREFIX = 'scrypt$';
+const SCRYPT_KEY_LENGTH = 64;
+
+const hashPassword = (password, saltHex = randomBytes(16).toString('hex')) => {
+  const derivedKey = scryptSync(password, Buffer.from(saltHex, 'hex'), SCRYPT_KEY_LENGTH);
+  return `${HASH_PREFIX}${saltHex}$${derivedKey.toString('hex')}`;
+};
+
+const verifyPassword = (password, storedPassword) => {
+  if (!storedPassword?.startsWith(HASH_PREFIX)) {
+    return password === storedPassword;
+  }
+
+  const [, saltHex, expectedHashHex] = storedPassword.split('$');
+  const candidateHash = scryptSync(password, Buffer.from(saltHex, 'hex'), SCRYPT_KEY_LENGTH);
+  const expectedHash = Buffer.from(expectedHashHex, 'hex');
+
+  if (candidateHash.length !== expectedHash.length) {
+    return false;
+  }
+
+  return timingSafeEqual(candidateHash, expectedHash);
+};
+
 db.exec(`
   CREATE TABLE IF NOT EXISTS users (
     id TEXT PRIMARY KEY,
@@ -65,8 +89,8 @@ const hasUsers = db.prepare('SELECT COUNT(*) AS count FROM users').get().count >
 
 if (!hasUsers) {
   const insertUser = db.prepare('INSERT INTO users (id, username, password, name, role) VALUES (?, ?, ?, ?, ?)');
-  insertUser.run('u-1', 'brocode', 'changeme', 'Ram', 'admin');
-  insertUser.run('u-2', 'dhanush', 'changeme', 'Dhanush', 'user');
+  insertUser.run('u-1', 'brocode', hashPassword('changeme'), 'Ram', 'admin');
+  insertUser.run('u-2', 'dhanush', hashPassword('changeme'), 'Dhanush', 'user');
 
   const insertSpot = db.prepare('INSERT INTO spots (id, location, date, host_user_id) VALUES (?, ?, ?, ?)');
   insertSpot.run('spot-2025-07-26', 'Attibele Toll Plaza', '2025-07-26T10:00:00.000Z', 'u-1');
@@ -134,14 +158,27 @@ const getCatalogItemByIdStatement = db.prepare(
 
 const userExistsStatement = db.prepare('SELECT 1 AS found FROM users WHERE id = ? LIMIT 1');
 const spotExistsStatement = db.prepare('SELECT 1 AS found FROM spots WHERE id = ? LIMIT 1');
+const getUserByUsernameStatement = db.prepare('SELECT id, username, password, name, role FROM users WHERE username = ?');
+const updateUserPasswordStatement = db.prepare('UPDATE users SET password = ? WHERE id = ?');
 
 export const database = {
   getUserByCredentials(username, password) {
-    const user = db
-      .prepare('SELECT id, username, name, role FROM users WHERE username = ? AND password = ?')
-      .get(username, password);
+    const user = getUserByUsernameStatement.get(username);
+
+    if (!user || !verifyPassword(password, user.password)) {
+      return null;
+    }
 
-    return user || null;
+    if (!user.password.startsWith(HASH_PREFIX)) {
+      updateUserPasswordStatement.run(hashPassword(password), user.id);
+    }
+
+    return {
+      id: user.id,
+      username: user.username,
+      name: user.name,
+      role: user.role,
+    };
   },
 
   getCatalog() {
