Optimize credential match checking

2023-08-15 14:04:29 +02:00 · 2023-08-15 14:04:29 +02:00 · f8cc7e45cd
commit f8cc7e45cd
parent cbbf8ab79b
3 changed files with 25 additions and 10 deletions
--- a/config.json
+++ b/config.json
@ -3,7 +3,7 @@
  "port": 80,
  "pubport": 80,
  "page404": "404.html",
-  "timestamp": 1691854862481,
+  "timestamp": 1692101055417,
  "blacklist": [],
  "nonStandardCodes": [],
  "enableCompression": true,
--- a/svr.js
+++ b/svr.js
@ -4440,7 +4440,22 @@ if (!cluster.isPrimary) {
          // Handle HTTP authentication
          if (authIndex > -1) {
            var authcode = nonStandardCodes[authIndex];
-
+            
+            function checkIfPasswordMatches(list, password, callback, _i) {
+                if(!_i) _i = 0;
+                var cb = function (hash) {
+                  var matches = (hash == list[_i].pass);
+                  if(matches) {
+                    callback(true);
+                  } else if(_i >= list.length-1) {
+                    callback(false);
+                  } else {
+                    checkIfPasswordMatches(list, password, callback, _i+1);
+                  }
+                }
+                cb(sha256(password + list[_i].salt));
+            }
+            
            function authorizedCallback(bruteProtection) {
              var ha = getCustomHeaders();
              ha["WWW-Authenticate"] = "Basic realm=\"" + (authcode.realm ? authcode.realm.replace(/(\\|")/g, "\\$1") : "SVR.JS HTTP Basic Authorization") + "\", charset=\"UTF-8\"";
@ -4465,14 +4480,13 @@ if (!cluster.isPrimary) {
              }
              var username = decodedCredentialsMatch[1];
              var password = decodedCredentialsMatch[2];
-              var authorized = false;
-              for (var i = 0; i < users.length; i++) {
-                var hash = sha256(password + users[i].salt);
-                if (users[i].name == username && users[i].pass == hash) {
-                  authorized = true;
-                  break;
-                }
+              var usernameMatch = users.filter(function (entry) {
+                return entry.name == username;
+              });
+              if(usernameMatch.length == 0) {
+                  usernameMatch.push({name: username, pass: "FAKEPASS", salt: "FAKESALT"});  //Fake credentials
              }
+              checkIfPasswordMatches(usernameMatch, password, function(authorized) {
              if (!authorized) {
                if (bruteProtection) {
                  if (process.send) {
@ -4501,6 +4515,7 @@ if (!cluster.isPrimary) {
                }
                modExecute(mods, vres(req, res, serverconsole, responseEnd, href, ext, uobject, search, "index.html", users, page404, head, foot, fd, callServerError, getCustomHeaders, origHref, redirect, parsePostData));
              }
+              });
            }
            if (authcode.disableBruteProtection) {
              authorizedCallback(false);
--- a/views.txt
+++ b/views.txt
@ -1 +1 @@
-0
+2