/ Programming

Using Meteor Passwords in AdonisJS (4.x)

So I previously blogged about replicating Meteor's password hashing, so that migration off of meteor could be (somewhat) painless. While I had it working for JWT logins with Persona in my code, I couldn't get it working with basic auth.

I have some paths that serve up static files (swagger documentation and so forth) for internal consumption only, so I have a middleware that checks for the existence of a flag indicating if a user is an 'internal' user or not, and then I also attached basic auth to the routes for these things. Unfortunately, due to the double hashing we need to use to validate a meteor-ized password, basic auth just didn't want to work.

As AdonisJS is awesome, and uses dependency injection, I knew it had to be possible to alter the authentication scheme being used in a not terribly difficult manner.

Ultimately it is not terribly difficult, but it's also not very well documented, and thus it was very difficult finding the not difficult solution.

Initially I thought, hey I'll just extend the basic auth scheme, and change what gets passed to the password validation method. That worked, but a brief interaction with Virk, Adonis' creator, on discord led me in a better direction...

Extend the default lucid serializer instead of the basic auth scheme. This way, the same password logic can be used for all auth methods.

So, first I added a custom serializer in app/Serializers called MeteorHashSerializer.js:

'use strict'

const LucidSerializer = require('@adonisjs/auth/src/Serializers/Lucid')
const Crypto = require('crypto')

class MeteorHashSerializer extends LucidSerializer {
  async validateCredentails (user, password) {
    if (!user || !user[this._config.password]) {
      return false
    }

    return this.Hash.verify(
      Crypto.Hash('sha256').update(password).digest('hex'),
      user[this._config.password]
    )
  }
}

module.exports = MeteorHashSerializer

That simply overrides the validateCredentials() method of the default lucid serializer, and alters out hash verify logic. Pretty easy so far...

Next, we add a hook to our start/hooks.js file, thusly:

const { ioc } = require('@adonisjs/fold')
const { hooks } = require('@adonisjs/ignitor')

const MeteorHashSerializer = require('../app/Serializers/MeteorHashSerializer')

hooks.before.providersRegistered(() => {
  ioc.extend('Adonis/Src/Auth', 'meteorhash', (app) => {
    const Hash = use('Hash')
    return new MeteorHashSerializer(Hash)
  }, 'serializer')
})

This extends the auth provider, attaching our new custom serializer to it.

Finally, we update the config/auth.js with the new serializer. You can see in our hook that we called it meteorhash:

  basic: {
    serializer: 'meteorhash',
    model: 'App/Models/User',
    scheme: 'basic',
    uid: 'email',
    password: 'password'
  },

It was challenging to get to this point. I love this framework, but some of the gaping holes in the documentation can be frustrating.

Using Meteor Passwords in AdonisJS (4.x)
Share this