Implemented password hashing using a salt, following this code&guidelines: https://crackstation.net/hashing-security.htm

1 files changed, 20 insertions, 4 deletions

diff --git a/src/org/traccar/model/User.java b/src/org/traccar/model/User.java
index 410bc4d74..fa09861ed 100644
--- a/src/org/traccar/model/User.java
+++ b/src/org/traccar/model/User.java
@@ -15,7 +15,8 @@
  */
 package org.traccar.model;
 
-import org.traccar.helper.Hashing;
+import org.traccar.helper.PasswordHash;
+import org.traccar.helper.PasswordHash.HashingResult;
 
 public class User implements Factory {
 
@@ -36,10 +37,15 @@ public class User implements Factory {
     public String getEmail() { return email; }
     public void setEmail(String email) { this.email = email; }
     
-    private byte[] password;
-    public byte[] getPassword() { return password; }
-    public void setPassword(String password) { this.password = Hashing.sha256(password); }
+    private String password;
+    public String getPassword() { return password; }
+    public void setPassword(String password) {
+        this.password = password;
+    }
     
+    private String salt;
+    public String getSalt() { return salt; }
+    public void setSalt(String salt) { this.salt = salt; }
     private boolean readonly;
     
     private boolean admin;
@@ -59,4 +65,14 @@ public class User implements Factory {
     private double longitude;
     
     private int zoom;
+    
+    public boolean isPasswordValid(String inputPassword) {
+        return PasswordHash.validatePassword(inputPassword.toCharArray(), PasswordHash.PBKDF2_ITERATIONS, this.salt, this.password);
+    }
+    
+    public void hashPassword(String password) {
+        HashingResult hashingResult = PasswordHash.createHash(password);
+        this.password = hashingResult.hash;
+        this.salt = hashingResult.salt;
+    }
 }