Merge pull request #261 from hamster1963/alert-autofix-7

Potential fix for code scanning alert no. 7: Use of password hash with insufficient computational effort
2025-04-24 21:10:45 +08:00 · 2025-03-25 16:07:01 +08:00 · 2025-03-25 16:07:01 +08:00 · 38ebfcee44
commit 38ebfcee44
parent e5a4c2f410 365ba91bff
3 changed files with 4 additions and 2 deletions
--- a/auth.ts
+++ b/auth.ts
@ -1,12 +1,12 @@
 import getEnv from "@/lib/env-entry"
-import CryptoJS from "crypto-js"
+import bcrypt from "bcrypt"
 import NextAuth from "next-auth"
 import CredentialsProvider from "next-auth/providers/credentials"

 export const { handlers, signIn, signOut, auth } = NextAuth({
  secret:
    process.env.AUTH_SECRET ??
-    CryptoJS.MD5(`this_is_nezha_dash_web_secret_${getEnv("SitePassword")}`).toString(),
+    bcrypt.hashSync(`this_is_nezha_dash_web_secret_${getEnv("SitePassword")}`, 10),
  trustHost: (process.env.AUTH_TRUST_HOST as boolean | undefined) ?? true,
  providers: [
    CredentialsProvider({
--- a/bun.lockb
+++ b/bun.lockb
--- a/package.json
+++ b/package.json
@ -26,10 +26,12 @@
    "@radix-ui/react-switch": "^1.1.3",
    "@radix-ui/react-tooltip": "^1.1.8",
    "@trivago/prettier-plugin-sort-imports": "^5.2.2",
+    "@types/bcrypt": "^5.0.2",
    "@types/crypto-js": "^4.2.2",
    "@types/d3-geo": "^3.1.0",
    "@types/luxon": "^3.4.2",
    "babel-plugin-react-compiler": "^19.0.0-beta-e552027-20250112",
+    "bcrypt": "^5.1.1",
    "caniuse-lite": "^1.0.30001707",
    "class-variance-authority": "^0.7.1",
    "clsx": "^2.1.1",