feat: introduce PASSWORD_HASH and deprecate PASSWORD

README.md

@@ -64,7 +64,7 @@ To automatically install & run wg-easy, simply run:
   --name=wg-easy \
   -e LANG=de \
   -e WG_HOST=<🚨YOUR_SERVER_IP> \
-  -e PASSWORD=<🚨YOUR_ADMIN_PASSWORD> \
+  -e PASSWORD_HASH=<🚨YOUR_ADMIN_PASSWORD_HASH> \
   -e PORT=51821 \
   -e WG_PORT=51820 \
   -v ~/.wg-easy:/etc/wireguard \
@@ -80,7 +80,7 @@ To automatically install & run wg-easy, simply run:
 
 > 💡 Replace `YOUR_SERVER_IP` with your WAN IP, or a Dynamic DNS hostname.
 >
-> 💡 Replace `YOUR_ADMIN_PASSWORD` with a password to log in on the Web UI.
+> 💡 Replace `YOUR_ADMIN_PASSWORD_HASH` with a bycrpt hashed password to log in on the Web UI.
 
 The Web UI will now be available on `http://0.0.0.0:51821`.
 
@@ -102,7 +102,8 @@ These options can be configured by setting environment variables using `-e KEY="
 | - | - | - | - |
 | `PORT` | `51821` | `6789` | TCP port for Web UI. |
 | `WEBUI_HOST` | `0.0.0.0` | `localhost` | IP address web UI binds to. |
-| `PASSWORD` | - | `foobar123` | When set, requires a password when logging in to the Web UI. |
+| `PASSWORD_HASH` | - | `$2y$05$Ci...` | When set, requires a password when logging in to the Web UI. |
+| `PASSWORD` (deprecated) | - | `foobar123` | DO NOT USE IT! When set, requires a password when logging in to the Web UI. Prefer `PASSWORD_HASH` to not put the clear text password in the environment. If `PASSWORD_HASH` is set `PASSWORD` is ignored. |
 | `WG_HOST` | - | `vpn.myserver.com` | The public hostname of your VPN server. |
 | `WG_DEVICE` | `eth0` | `ens6f0` | Ethernet device the wireguard traffic should be forwarded through. |
 | `WG_PORT` | `51820` | `12345` | The public UDP port of your VPN server. WireGuard will listen on that (othwise default) inside the Docker container. |

src/config.js

@@ -6,6 +6,7 @@ module.exports.RELEASE = release;
 module.exports.PORT = process.env.PORT || '51821';
 module.exports.WEBUI_HOST = process.env.WEBUI_HOST || '0.0.0.0';
 module.exports.PASSWORD = process.env.PASSWORD;
+module.exports.PASSWORD_HASH = process.env.PASSWORD_HASH;
 module.exports.WG_PATH = process.env.WG_PATH || '/etc/wireguard/';
 module.exports.WG_DEVICE = process.env.WG_DEVICE || 'eth0';
 module.exports.WG_HOST = process.env.WG_HOST;

src/lib/Server.js

@@ -29,11 +29,14 @@ const {
   WEBUI_HOST,
   RELEASE,
   PASSWORD,
+  PASSWORD_HASH,
   LANG,
   UI_TRAFFIC_STATS,
   UI_CHART_TYPE,
 } = require('../config');
 
+const requiresPassword = !!PASSWORD || !!PASSWORD_HASH;
+
 module.exports = class Server {
 
   constructor() {
@@ -72,7 +75,6 @@ module.exports = class Server {
 
       // Authentication
       .get('/api/session', defineEventHandler((event) => {
-        const requiresPassword = !!process.env.PASSWORD;
         const authenticated = requiresPassword
           ? !!(event.node.req.session && event.node.req.session.authenticated)
           : true;
@@ -85,19 +87,21 @@ module.exports = class Server {
       .post('/api/session', defineEventHandler(async (event) => {
         const { password } = await readBody(event);
 
-        if (typeof password !== 'string') {
+        if (!requiresPassword) {
+          // if no password is required, the API should never be called.
+          // Do not automatically authenticate the user.
           throw createError({
             status: 401,
-            message: 'Missing: Password',
+            message: 'Invalid state',
           });
         }
 
-        if (password !== PASSWORD) {
+        if (!isPasswordValid(password)) {
           throw createError({
             status: 401,
             message: 'Incorrect Password',
           });
-        }
+        };
 
         event.node.req.session.authenticated = true;
         event.node.req.session.save();
@@ -110,7 +114,7 @@ module.exports = class Server {
     // WireGuard
     app.use(
       fromNodeMiddleware((req, res, next) => {
-        if (!PASSWORD || !req.url.startsWith('/api/')) {
+        if (!requiresPassword || !req.url.startsWith('/api/')) {
           return next();
         }
 
@@ -119,7 +123,7 @@ module.exports = class Server {
         }
 
         if (req.url.startsWith('/api/') && req.headers['authorization']) {
-          if (bcrypt.compareSync(req.headers['authorization'], bcrypt.hashSync(PASSWORD, 10))) {
+          if (isPasswordValid(req.headers['authorization'])) {
             return next();
           }
           return res.status(401).json({
@@ -235,6 +239,32 @@ module.exports = class Server {
       });
     };
 
+    /**
+     * Checks if `password` matches the PASSWORD_HASH.
+     * 
+     * For backward compatibility it also allows `password` to match the clear text PASSWORD,
+     * but only if no PASSWORD_HASH is provided.
+     * 
+     * If both enviornment variables are not set, the password is always invalid.
+     * 
+     * @param {string} password String to test
+     * @returns {boolean} true if matching environment, otherwise false
+     */
+    const isPasswordValid = (password) => {
+      if (typeof password !== 'string') {
+        return false;
+      }
+
+      if (!!PASSWORD_HASH) {
+        return bcrypt.compareSync(password, PASSWORD_HASH);
+      }
+      if (!!PASSWORD) {
+        return password == PASSWORD;
+      }
+
+      return false;
+    }
+
     // Static assets
     const publicDir = '/app/www';
     app.use(