Fix session and login vulnerabilities

[ebakoba]

Session management

Currently the session secret is hard-coded to program code. This is a bad as knowing the session key allows the attacker overtake sessions bypassing the authorization.

Two steps are taken to mitigate this risk:

• In app.js session secret is set to come from .env file. If the session secret does not exist in that file, random 40 characters long hex string is generated instead.

• During the installation process random 40 character long hex string is set as session secret in .env file.

Hard-coded credentials

At the moment login credentials are hard-coded in to the application code and although password is hashed it is never salted. This leaves it vulnerable for rainbow table style of attacks. Furthermore, as the source code for this project is public requiring username to match admin is essentially pointless, as anyone could just look up the username from the GitHub source.

These risks are also mitigated in two parts:

• During the installation process user is prompted to enter an username and a password for the server, which will be stored in .env file. bcrypt is used to salt and hash the user provided password.

• passport.js will from now use username and password variables taken from the .env file and use bcrypt for hashing and salting instead of md5.

Impact on backwards compatibility

All the changes regarding to authentication are backwards compatible with current source code. Support for legacy md5 hashed password is used, when .env does not provide password variable.

Session management change will however result in user being logged out after the server is restarted following the update. This logging out will occur on every server restart unless there exists a .env file, where SESSION_SECRET variable is specified.