feat: v5.3.0

Author: surmon-china

CHANGELOG.md

@@ -2,6 +2,12 @@
 
 All notable changes to this project will be documented in this file.
 
+### 5.3.0 (2025-07-16)
+
+**Feature**
+
+- Improved password hash algorithm, using a more secure `bcrypt`
+
 ### 5.1.0 (2025-07-16)
 
 **Feature**

package.json

@@ -1,6 +1,6 @@
 {
   "name": "nodepress",
-  "version": "5.2.0",
+  "version": "5.3.0",
   "description": "RESTful API service for Surmon.me blog",
   "author": "Surmon",
   "license": "MIT",
@@ -43,6 +43,7 @@
     "@typegoose/typegoose": "^12.17.x",
     "akismet-api": "^6.x",
     "axios": "^1.10.x",
+    "bcryptjs": "^3.0.x",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.14.x",
     "cross-env": "^7.x",

pnpm-lock.yaml

@@ -51,16 +51,21 @@ export const APP_BIZ = {
   STATIC_URL: 'https://static.surmon.me',
   /** Allowed CORS origins */
   CORS_ALLOWED_ORIGINS: ['https://surmon.me', /\.surmon\.me$/],
-  /** Authentication config */
-  AUTH: {
+  /** Default admin password */
+  PASSWORD: {
+    /** Default password for the admin user, used when no password is set in the database */
+    defaultPassword: arg({ key: 'default_password', default: 'root' }),
+    /** Bcrypt salt rounds for hashing passwords */
+    bcryptSaltRounds: arg({ key: 'bcrypt_salt_rounds', default: 10 })
+  },
+  /** Authentication config (JSON Web Token) */
+  AUTH_JWT: {
     /** JWT token expiration time in seconds */
-    expiresIn: arg({ key: 'auth_expires_in', default: 3600 }),
+    expiresIn: arg({ key: 'auth_jwt_expires_in', default: 3600 }),
     /** JWT signing secret; must be secure in production */
-    jwtSecret: arg({ key: 'auth_secret', default: 'nodepress' }),
-    /** Default payload for issued tokens */
-    data: arg<any>({ key: 'auth_data', default: { user: 'root' } }),
-    /** Default admin password */
-    defaultPassword: arg({ key: 'auth_default_password', default: 'root' })
+    secret: arg({ key: 'auth_jwt_secret', default: 'nodepress' }),
+    /** Default payload for issued JWT tokens (e.g., user role or ID) */
+    data: arg<any>({ key: 'auth_jwt_data', default: { user: 'root' } })
   }
 }
 

src/app.config.ts

@@ -15,8 +15,8 @@ import { AuthService } from './auth.service'
     // https://docs.nestjs.com/security/authentication#jwt-token
     JwtModule.register({
       global: true,
-      secret: APP_BIZ.AUTH.jwtSecret,
-      signOptions: { expiresIn: APP_BIZ.AUTH.expiresIn }
+      secret: APP_BIZ.AUTH_JWT.secret,
+      signOptions: { expiresIn: APP_BIZ.AUTH_JWT.expiresIn }
     })
   ],
   providers: [AuthService],

src/core/auth/auth.module.ts

@@ -36,7 +36,7 @@ export class AuthService {
   }
 
   public signToken() {
-    return this.jwtService.sign({ data: APP_BIZ.AUTH.data })
+    return this.jwtService.sign({ data: APP_BIZ.AUTH_JWT.data })
   }
 
   public async verifyToken(token: string): Promise<boolean> {
@@ -45,8 +45,8 @@ export class AuthService {
     }
 
     try {
-      const payload = this.jwtService.verify(token, { secret: APP_BIZ.AUTH.jwtSecret })
-      return _isEqual(payload.data, APP_BIZ.AUTH.data)
+      const payload = this.jwtService.verify(token, { secret: APP_BIZ.AUTH_JWT.secret })
+      return _isEqual(payload.data, APP_BIZ.AUTH_JWT.data)
     } catch {
       return false
     }

src/core/auth/auth.service.ts

@@ -3,11 +3,12 @@
  * @module module/admin/service
  */
 
+import bcrypt from 'bcryptjs'
 import { Injectable, UnauthorizedException, BadRequestException } from '@nestjs/common'
 import { InjectModel } from '@app/transformers/model.transformer'
 import { MongooseModel } from '@app/interfaces/mongoose.interface'
 import { AuthService } from '@app/core/auth/auth.service'
-import { decodeBase64, decodeMD5 } from '@app/transformers/codec.transformer'
+import { decodeBase64 } from '@app/transformers/codec.transformer'
 import { Admin, DEFAULT_ADMIN_PROFILE } from './admin.model'
 import { TokenResult } from './admin.interface'
 import { AdminUpdateDTO } from './admin.dto'
@@ -20,22 +21,31 @@ export class AdminService {
     @InjectModel(Admin) private readonly adminModel: MongooseModel<Admin>
   ) {}
 
-  private async getExistedPassword(): Promise<string> {
-    const auth = await this.adminModel.findOne(undefined, '+password').exec()
-    return auth?.password || decodeMD5(APP_BIZ.AUTH.defaultPassword)
+  /**
+   * Validate the provided plain password against the stored password.
+   * - If a hashed password exists in the database, verify with bcrypt.
+   * - If no password exists (e.g., initial state), fall back to comparing with the default password.
+   */
+  private async validatePassword(plainPassword: string): Promise<boolean> {
+    const existedProfile = await this.adminModel.findOne(undefined, '+password').exec()
+    if (existedProfile?.password) {
+      // Password exists in database → validate using bcrypt
+      return await bcrypt.compare(plainPassword, existedProfile.password)
+    } else {
+      // No password in database → compare directly with default password (no hashing)
+      return plainPassword === APP_BIZ.PASSWORD.defaultPassword
+    }
   }
 
   public createToken(): TokenResult {
     return {
       access_token: this.authService.signToken(),
-      expires_in: APP_BIZ.AUTH.expiresIn
+      expires_in: APP_BIZ.AUTH_JWT.expiresIn
     }
   }
 
-  public async login(password: string): Promise<TokenResult> {
-    const existedPassword = await this.getExistedPassword()
-    const loginPassword = decodeMD5(decodeBase64(password))
-    if (loginPassword === existedPassword) {
+  public async login(base64Password: string): Promise<TokenResult> {
+    if (await this.validatePassword(decodeBase64(base64Password))) {
       return this.createToken()
     } else {
       throw new UnauthorizedException('Password incorrect')
@@ -48,32 +58,31 @@ export class AdminService {
   }
 
   public async updateProfile(adminProfile: AdminUpdateDTO): Promise<Admin> {
-    const { password, new_password, ...profile } = adminProfile
-    const payload: Admin = { ...profile }
+    const { password: inputOldPassword, new_password: inputNewPassword, ...profile } = adminProfile
+    const newProfile: Admin = { ...profile }
 
-    // verify password
-    if (password || new_password) {
-      if (!password || !new_password) {
+    // Verify password
+    if (inputOldPassword || inputNewPassword) {
+      if (!inputOldPassword || !inputNewPassword) {
         throw new BadRequestException('Incomplete passwords')
       }
-      if (password === new_password) {
+      if (inputOldPassword === inputNewPassword) {
         throw new BadRequestException('Old password and new password cannot be the same')
       }
-      const oldPassword = decodeMD5(decodeBase64(password))
-      const existedPassword = await this.getExistedPassword()
-      if (oldPassword !== existedPassword) {
+      if (!(await this.validatePassword(decodeBase64(inputOldPassword)))) {
         throw new BadRequestException('Old password incorrect')
       }
-      // set new password
-      payload.password = decodeMD5(decodeBase64(new_password))
+      // Set new password
+      const plainNewPassword = decodeBase64(inputNewPassword)
+      newProfile.password = await bcrypt.hash(plainNewPassword, APP_BIZ.PASSWORD.bcryptSaltRounds)
     }
 
     // save
-    const existedAuth = await this.adminModel.findOne(undefined, '+password').exec()
-    if (existedAuth) {
-      await Object.assign(existedAuth, payload).save()
+    const existedProfile = await this.adminModel.findOne(undefined, '+password').exec()
+    if (existedProfile) {
+      await Object.assign(existedProfile, newProfile).save()
     } else {
-      await this.adminModel.create(payload)
+      await this.adminModel.create(newProfile)
     }
 
     return this.getProfile()