fix(password-hash): Rehash pbkdf2 if required iterations count increases

ymir1v · Mar 12, 2024 · 3b7f28c · 3b7f28c
1 parent 5af8126
commit 3b7f28c
Showing 1 changed file with 15 additions and 3 deletions.
diff --git a/lib/hashes.js b/lib/hashes.js
@@ -134,10 +134,21 @@ module.exports.shouldRehash = hash => {
 
     switch (algo) {
         case 'pbkdf2-sha512':
-        case 'pbkdf2-sha256':
-        case 'pbkdf2-sha1':
-            return consts.DEFAULT_HASH_ALGO !== 'pbkdf2';
+        case 'pbkdf2-sha256': {
+            let [, iterations] = hash.match(/^\$[^$]+\$i=(\d+)\$/) || [];
+
+            if (consts.DEFAULT_HASH_ALGO !== 'pbkdf2') {
+                return true;
+            }
+
+            iterations = (iterations && Number(iterations)) || 0;
 
+            if (iterations && consts.PDKDF2_ITERATIONS > iterations) {
+                return true;
+            }
+
+            return false;
+        }
         case '2a':
         case '2b':
         case '2y':
@@ -150,6 +161,7 @@ module.exports.shouldRehash = hash => {
         case 'argon2d': // Argon2 (mostly because we are using an inefficient implementation)
         case 'argon2i':
         case 'argon2id':
+        case 'pbkdf2-sha1':
             return true;
 
         default: