You've already forked Arcturus-Morningstar-Extended
mirror of
https://github.com/duckietm/Arcturus-Morningstar-Extended.git
synced 2026-06-20 15:36:17 +00:00
simoleo89
dac09e92d1
`HousekeepingResetUserPasswordEvent` was writing a SHA-256 hex digest into `users.password`, but the Nitro auth path (`SessionEndpoints` / `AccountChangeEndpoints` → `AuthHttpUtil.checkPassword`) only does `BCrypt.checkpw`. A SHA-256 hex string doesn't start with `$2…$`, so jbcrypt throws `IllegalArgumentException`, `checkPassword` returns false, and operators saw "credenziali invalide" on every account whose password had been reset from the in-client panel. Switch to `BCrypt.hashpw(plain, BCrypt.gensalt(10))` — same idiom already used by `SessionEndpoints.java:351` and `AccountChangeEndpoints.java:98`. Cost 10 (vs 12 there) is fine for a server-generated 12-char random password: gensalt(10) keeps the operator-facing reset snappy and the output is identical-shape (`$2a$…`) to what jbcrypt 0.4 already accepts. Side-effects: - drops the `MessageDigest` / `NoSuchAlgorithmException` / `StandardCharsets` imports and the local `sha256Hex` helper - repurposes the existing `housekeeping.error.hash_failed` key for `BCrypt.gensalt`'s only failure mode (invalid cost / log_rounds out of range) so the client error surface is unchanged - updates the file javadoc to stop telling future readers to "swap the MessageDigest constant" — Arcturus itself only verifies BCrypt Companion of duckietm/Nitro-V3#157 (`feat/housekeeping-panel`). The client/UI is untouched — packet 9200, the action-result reveal card, the copy button, and the plaintext flow through `message` are all unchanged.