From 7e39afa29f1674df4cac51c7894181f55f66aa12 Mon Sep 17 00:00:00 2001
From: Mohamed Bassem <me@mbassem.com>
Date: Tue, 15 Apr 2025 19:36:51 +0000
Subject: fix: Add password salt to the user table

---
 packages/trpc/routers/users.ts | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'packages/trpc/routers/users.ts')

diff --git a/packages/trpc/routers/users.ts b/packages/trpc/routers/users.ts
index 75a1db0c..c56daaee 100644
--- a/packages/trpc/routers/users.ts
+++ b/packages/trpc/routers/users.ts
@@ -19,7 +19,7 @@ import {
   zWhoAmIResponseSchema,
 } from "@karakeep/shared/types/users";
 
-import { hashPassword, validatePassword } from "../auth";
+import { generatePasswordSalt, hashPassword, validatePassword } from "../auth";
 import {
   adminProcedure,
   authedProcedure,
@@ -42,13 +42,15 @@ export async function createUser(
       userRole = userCount == 0 ? "admin" : "user";
     }
 
+    const salt = generatePasswordSalt();
     try {
       const result = await trx
         .insert(users)
         .values({
           name: input.name,
           email: input.email,
-          password: await hashPassword(input.password),
+          password: await hashPassword(input.password, salt),
+          salt,
           role: userRole,
         })
         .returning({
@@ -149,10 +151,12 @@ export const usersAppRouter = router({
         throw new TRPCError({ code: "UNAUTHORIZED" });
       }
       invariant(user.id, ctx.user.id);
+      const newSalt = generatePasswordSalt();
       await ctx.db
         .update(users)
         .set({
-          password: await hashPassword(input.newPassword),
+          password: await hashPassword(input.newPassword, newSalt),
+          salt: newSalt,
         })
         .where(eq(users.id, ctx.user.id));
     }),
-- 
cgit v1.2.3-70-g09d2