apostrophe 3.63.3 → 3.65.0

package/CHANGELOG.md

@@ -1,5 +1,34 @@
 # Changelog
 
+## 3.65.0 (2024-05-06)
+
+### Adds
+
+*  Adds a `publicBundle` option to `@apostrophecms/asset`. When set to `false`, the `ui/src` public asset bundle is not built at all in most cases
+except as part of the admin UI bundle which depends on it. For use with external front ends such as [apostrophe-astro](https://github.com/apostrophecms/apostrophe-astro).
+Thanks to Michelin for contributing this feature.
+
+## 3.64.0 (2024-04-18)
+
+### Adds
+
+### Fixes
+
+* Add the missing `metaType` property to newly inserted widgets.
+
+### Security
+
+* New passwords are now hashed with `scrypt`, the best password hash available in the Node.js core `crypto` module, following guidance from [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html).
+This reduces login time while improving overall security.
+* Old passwords are automatically re-hashed with `scrypt` on the next successful login attempt, which
+adds some delay to that next attempt, but speeds them up forever after compared to the old implementation.
+* Custom `scrypt` parameters for password hashing can be passed to the `@apostrophecms/user` module via the `scrypt` option. See the [Node.js documentation for `scrypt`]. Note that the `maxmem` parameter is computed automatically based on the other parameters.
+
+### Changes
+
+* `APOS_MONGODB_LOG_LEVEL` has been removed. According to [mongodb documentation](https://github.com/mongodb/node-mongodb-native/blob/main/etc/notes/CHANGES_5.0.0.md#mongoclientoptionslogger-and-mongoclientoptionsloglevel-removed) "Both the logger and the logLevel options had no effect and have been removed."
+* Update `connect-mongo` to `5.x`. Add `@apostrophecms/emulate-mongo-3-driver` dependency to keep supporting `mongodb@3.x` queries while using `mongodb@6.x`.
+
 ## 3.63.3 (2024-03-14)
 
 ### Adds
@@ -13,6 +42,18 @@ that these keys would be present.
 * `field.help` and `field.htmlHelp` are now correctly translated when displayed in a tooltip.
 This was also an expectation for the multisite module.
 
+## UNRELEASED
+
+### Adds
+
+* Add side by side comparison support in AposSchema component.
+* Add the possibility to make widget modals wider, which can be useful for widgets that contain areas taking significant space. See [documentation](https://v3.docs.apostrophecms.org/reference/modules/widget-type.html#options).
+
+### Fixes
+
+* Adds `textStyle` to Tiptap types so that spans are rendered on RT initialization
+* Notification REST APIs should not directly return the result of MongoDB operations.
+
 ## 3.63.2 (2024-03-01)
 
 ### Security

package/lib/mongodb-connect.js

@@ -1,4 +1,4 @@
-const mongo = require('mongodb');
+const mongo = require('@apostrophecms/emulate-mongo-3-driver');
 const dns = require('dns');
 
 // Connect to MongoDB, using the modern topology and parser, and

package/modules/@apostrophecms/area/index.js

@@ -622,7 +622,7 @@ module.exports = {
           widgetIsContextual[name] = manager.options.contextual;
           widgetHasPlaceholder[name] = manager.options.placeholder;
           widgetHasInitialModal[name] = !manager.options.placeholder && manager.options.initialModal !== false;
-          contextualWidgetDefaultData[name] = manager.options.defaultData;
+          contextualWidgetDefaultData[name] = manager.options.defaultData || {};
         });
 
         return {

package/modules/@apostrophecms/area/ui/apos/components/AposAreaEditor.vue

@@ -431,7 +431,9 @@ export default {
     },
     async update(widget) {
       widget.aposPlaceholder = false;
-
+      if (!widget.metaType) {
+        widget.metaType = 'widget';
+      }
       if (this.docId === window.apos.adminBar.contextId) {
         apos.bus.$emit('context-edited', {
           [`@${widget._id}`]: widget
@@ -515,6 +517,9 @@ export default {
       if (!widget._id) {
         widget._id = cuid();
       }
+      if (!widget.metaType) {
+        widget.metaType = 'widget';
+      }
       const push = {
         $each: [ widget ]
       };

package/modules/@apostrophecms/asset/index.js

@@ -42,7 +42,10 @@ module.exports = {
     watchDebounceMs: 1000,
     // Object containing instructions for remapping existing bundles.
     // See the modulre reference documentation for more information.
-    rebundleModules: undefined
+    rebundleModules: undefined,
+    // In case of external front end like Astro, this option allows to
+    // disable the build of the public UI assets.
+    publicBundle: true
   },
 
   async init(self) {
@@ -169,7 +172,9 @@ module.exports = {
           // to the same relative path `/public/apos-frontend/namespace/modules/modulename`.
           // Inherited files are also copied, with the deepest subclass overriding in the
           // event of a conflict
-          await moduleOverrides(`${bundleDir}/modules`, 'public');
+          if (self.options.publicBundle) {
+            await moduleOverrides(`${bundleDir}/modules`, 'public');
+          }
 
           for (const [ name, options ] of Object.entries(self.builds)) {
             // If the option is not present always rebuild everything...
@@ -180,11 +185,12 @@ module.exports = {
             } else if (!rebuild) {
               let checkTimestamp = false;
 
-              // Only builds contributing to the apos admin UI (currently just "apos")
+              // If options.publicBundle, only builds contributing to the apos admin UI (currently just "apos")
               // are candidates to skip the build simply because package-lock.json is
               // older than the bundle. All other builds frequently contain
               // project level code
-              if (options.apos) {
+              // Else we can skip also for the src bundle
+              if (options.apos || !self.options.publicBundle) {
                 const bundleExists = await fs.pathExists(bundleDir);
 
                 if (!bundleExists) {
@@ -437,7 +443,7 @@ module.exports = {
                   modulesPrefix: `${self.getAssetBaseUrl()}/modules`
                 }));
               }
-              if (options.apos) {
+              if (options.apos || !self.options.publicBundle) {
                 const now = Date.now().toString();
                 fs.writeFileSync(`${bundleDir}/${name}-build-timestamp.txt`, now);
               }
@@ -1300,7 +1306,7 @@ module.exports = {
         `;
         self.builds = {
           src: {
-            scenes: [ 'public', 'apos' ],
+            scenes: [ 'apos' ],
             webpack: true,
             outputs: [ 'css', 'js' ],
             label: 'apostrophe:modernBuild',
@@ -1310,13 +1316,6 @@ module.exports = {
             condition: 'module',
             prologue: self.srcPrologue
           },
-          public: {
-            scenes: [ 'public', 'apos' ],
-            outputs: [ 'css', 'js' ],
-            label: 'apostrophe:rawCssAndJs',
-            // Just concatenates
-            webpack: false
-          },
           apos: {
             scenes: [ 'apos' ],
             outputs: [ 'js' ],
@@ -1337,6 +1336,16 @@ module.exports = {
           // We could add an apos-ie11 bundle that just pushes a "sorry charlie" prologue,
           // if we chose
         };
+        if (self.options.publicBundle) {
+          self.builds.public = {
+            scenes: [ 'public', 'apos' ],
+            outputs: [ 'css', 'js' ],
+            label: 'apostrophe:rawCssAndJs',
+            // Just concatenates
+            webpack: false
+          };
+          self.builds.src.scenes.push('public');
+        }
       },
       // Filter the given css performing any necessary transformations,
       // such as support for the /modules path regardless of where

package/modules/@apostrophecms/db/index.js

@@ -96,12 +96,6 @@ module.exports = {
           self.connectionReused = true;
           return;
         }
-        let Logger;
-        if (process.env.APOS_MONGODB_LOG_LEVEL) {
-          Logger = require('mongodb').Logger;
-          // Set debug level
-          Logger.setLevel(process.env.APOS_MONGODB_LOG_LEVEL);
-        }
         let uri = 'mongodb://';
         if (process.env.APOS_MONGODB_URI) {
           uri = process.env.APOS_MONGODB_URI;

package/modules/@apostrophecms/doc-type/index.js

@@ -2682,8 +2682,14 @@ module.exports = {
               subquery.limit(undefined);
               subquery.page(undefined);
               subquery.perPage(undefined);
-              const mongo = await subquery.toMongo();
-              const count = await mongo.count();
+              const cursor = await subquery.toMongo();
+              const count = await cursor.count();
+              // TODO: replace count with the code below
+              // await subquery.finalize();
+              // const count = await self.apos.doc.db.countDocuments({
+              //   ...subquery.get('criteria'),
+              //   ...(subquery.get('lateCriteria') || {})
+              // });
               if (query.get('perPage')) {
                 const perPage = query.get('perPage');
                 const totalPages = Math.ceil(count / perPage);

package/modules/@apostrophecms/express/index.js

@@ -554,12 +554,13 @@ module.exports = {
           }
           if (!sessionOptions.store.name) {
             // require from this module's dependencies
-            Store = require('connect-mongo')(expressSession);
+            const MongoStore = require('connect-mongo');
+            sessionOptions.store = MongoStore.create(sessionOptions.store.options);
           } else {
             // require from project's dependencies
             Store = self.apos.root.require(sessionOptions.store.name)(expressSession);
+            sessionOptions.store = new Store(sessionOptions.store.options);
           }
-          sessionOptions.store = new Store(sessionOptions.store.options);
         }
         // Exported for the benefit of code that needs to
         // interoperate in a compatible way with express-sessions

package/modules/@apostrophecms/migration/index.js

@@ -115,6 +115,11 @@ module.exports = {
         // https://groups.google.com/forum/#!topic/mongodb-user/AFC1ia7MHzk
         const cursor = collection.find(criteria);
         cursor.sort({ _id: 1 });
+        // TODO use a variant of the code below instead
+        // cursor.batchSize(limit);
+        // for await (const docs of cursor) {
+        //   // await iterator(docs);
+        // }
         return require('util').promisify(broadband)(cursor, limit, async function (doc, cb) {
           try {
             await iterator(doc);

package/modules/@apostrophecms/modal/ui/apos/components/AposModal.vue

@@ -308,7 +308,7 @@ export default {
       top: 0;
       bottom: 0;
       transform: translateX(0);
-      width: 90%;
+      width: 100%;
       border-radius: 0;
       height: 100vh;
 
@@ -339,6 +339,12 @@ export default {
       }
     }
 
+    &.apos-modal__inner--full {
+      @media screen and (min-width: 800px) {
+        max-width: 100%;
+      }
+    }
+
     &.slide-left-enter,
     &.slide-left-leave-to {
       transform: translateX(100%);

package/modules/@apostrophecms/notification/index.js

@@ -154,7 +154,7 @@ module.exports = {
           dismissed
         });
 
-        return self.db.updateOne({ _id }, {
+        await self.db.updateOne({ _id }, {
           $set: {
             dismissed
           },
@@ -164,8 +164,8 @@ module.exports = {
         });
       }
     },
-    delete(req, _id) {
-      return self.db.deleteMany({ _id });
+    async delete(req, _id) {
+      await self.db.deleteMany({ _id });
     }
   }),
   apiRoutes(self) {
@@ -414,7 +414,7 @@ module.exports = {
 
       async ensureCollection() {
         self.db = self.apos.db.collection('aposNotifications');
-        return self.db.createIndex({
+        await self.db.createIndex({
           userId: 1,
           createdAt: 1
         });

package/modules/@apostrophecms/rich-text-widget/index.js

@@ -331,6 +331,7 @@ module.exports = {
       blockquote: [ 'blockquote' ],
       superscript: [ 'sup' ],
       subscript: [ 'sub' ],
+      textStyle: [ 'span' ],
       // Generic div type, usually used with classes,
       // and for A2 content migration. Intentionally not
       // given a nicer-sounding name

package/modules/@apostrophecms/schema/ui/apos/components/AposSchema.vue

@@ -25,11 +25,13 @@
 <template>
   <component
     class="apos-schema"
+    :class="classes"
     :is="fieldStyle === 'table' ? 'tr' : 'div'"
   >
     <slot name="before" />
     <component
-      v-for="field in schema" :key="field.name.concat(field._id ?? '')"
+      v-for="field in schema"
+      :key="field.name.concat(field._id ?? '')"
       :data-apos-field="field.name"
       :is="fieldStyle === 'table' ? 'td' : 'div'"
       :style="(fieldStyle === 'table' && field.columnStyle) || {}"
@@ -53,6 +55,25 @@
         @update-doc-data="onUpdateDocData"
         @validate="emitValidate()"
       />
+      <component
+        v-if="hasCompareMeta"
+        v-show="displayComponent(field)"
+        v-model="compareMetaState[field.name]"
+        :is="fieldComponentMap[field.type]"
+        :following-values="followingValues[field.name]"
+        :condition-met="conditionalFields?.if[field.name]"
+        :field="fields[field.name].field"
+        :meta="meta"
+        :modifiers="fields[field.name].modifiers"
+        :display-options="getDisplayOptions(field.name)"
+        :trigger-validation="triggerValidation"
+        :server-error="fields[field.name].serverError"
+        :doc-id="docId"
+        :ref="field.name"
+        :generation="generation"
+        @update-doc-data="onUpdateDocData"
+        @validate="emitValidate()"
+      />
     </component>
     <slot name="after" />
   </component>
@@ -96,4 +117,26 @@ export default {
       margin-bottom: 0;
     }
   }
+
+  .apos-schema.apos-schema--compare {
+    & > ::v-deep [data-apos-field] {
+      display: flex;
+
+      & > .apos-field__wrapper {
+        flex-grow: 1;
+        flex-basis: 50%;
+        border-right: 1px solid var(--a-base-9);
+        padding-right: 20px;
+      }
+      & > .apos-field__wrapper + .apos-field__wrapper {
+        border-right: none;
+        padding-right: 0;
+        padding-left: 20px;
+      }
+
+      & .apos-field__label {
+        word-break: break-all;
+      }
+    }
+  }
 </style>

package/modules/@apostrophecms/schema/ui/apos/logic/AposSchema.js

@@ -130,6 +130,32 @@ export default {
           }
         };
       }, {});
+    },
+    hasCompareMeta() {
+      return this.schema.some(field => this.meta[field.name]?.['@apostrophecms/schema:compare']);
+    },
+    classes() {
+      const classes = [];
+      if (this.hasCompareMeta) {
+        classes.push('apos-schema--compare');
+      }
+
+      return classes;
+    },
+    compareMetaState() {
+      if (!this.hasCompareMeta) {
+        return {};
+      }
+
+      const compareMetaState = {};
+      this.schema.forEach(field => {
+        compareMetaState[field.name] = {
+          error: false,
+          data: this.meta[field.name]['@apostrophecms/schema:compare']
+        };
+      });
+
+      return compareMetaState;
     }
   },
   watch: {

package/modules/@apostrophecms/user/index.js

@@ -34,7 +34,7 @@
 // their preferred language for the admin UI. It will be added only if
 // @apostrophecms/i18n is configured with `adminLocales`.
 
-const credentials = require('credentials');
+const passwordHash = require('./lib/password-hash.js');
 const prompts = require('prompts');
 
 module.exports = {
@@ -52,7 +52,20 @@ module.exports = {
     publishRole: 'admin',
     viewRole: 'admin',
     showPermissions: true,
-    relationshipSuggestionIcon: 'account-box-icon'
+    relationshipSuggestionIcon: 'account-box-icon',
+    scrypt: {
+      // These are the defaults. If you choose to pass
+      // this option, you can pass one or more new values.
+      // "cost" must be a power of 2. See:
+      //
+      // https://nodejs.org/api/crypto.html#cryptoscryptpassword-salt-keylen-options-callback
+      //
+      // Do not pass maxmem, it is calculated automatically.
+      //
+      // cost: 131072,
+      // parallelization: 1,
+      // blockSize: 8
+    }
   },
   fields(self, options) {
     const fields = {};
@@ -426,11 +439,11 @@ module.exports = {
       // in `options.secrets` when configuring this module or via
       // `addSecrets` are not stored as plaintext and are not kept in the
       // aposDocs collection. Instead, they are hashed and salted using the
-      // `credential` module and the resulting hash is stored
+      // the same algorithm applied to passwords and the resulting hash is stored
       // in a separate `aposUsersSafe` collection. This method
       // can be used to verify that `attempt` matches the
       // previously hashed value for the property named `secret`,
-      // without ever storing the actual value of the secret
+      // without ever storing the actual value of the secret.
       //
       // If the secret does not match, an `invalid` error is thrown.
       // Otherwise the method returns normally.
@@ -440,10 +453,20 @@ module.exports = {
         if (!safeUser) {
           throw new Error('No such user in the safe.');
         }
-
-        const isVerified = await self.pw.verify(migrate(safeUser[secret + 'Hash']), attempt);
+        const key = secret + 'Hash';
+        const isVerified = await self.pw.verify(migrate(safeUser[key]), attempt);
 
         if (isVerified) {
+          if ((typeof isVerified) === 'string') {
+            // "verify" updated the hash, store the new one
+            const $set = {};
+            $set[key] = isVerified;
+            await self.safe.updateOne({
+              _id: user._id
+            }, {
+              $set
+            });
+          }
           return null;
         } else {
           throw self.apos.error('invalid', `Incorrect ${secret}`);
@@ -452,8 +475,9 @@ module.exports = {
         function migrate(json) {
           const data = JSON.parse(json);
 
-          // Do not re-encode salt generated by credentials@3
-          if (data.credentials3) {
+          // * Do not re-encode legacy salt generated by credentials@3
+          // * Do not alter salts not generated by the credentials module
+          if (data.credentials3 || (data.hashMethod !== 'pbkdf2')) {
             return json;
           }
 
@@ -477,13 +501,15 @@ module.exports = {
         await self.safe.updateOne({ _id: user._id }, changes);
       },
 
-      // Initialize the [credential](https://npmjs.org/package/credential) module.
+      // Initialize password hashing system. Name is for
+      // legacy reasons
+
       initializeCredential() {
-        self.pw = credentials({
-          // For efficient unit tests only. Reducing the work factor
-          // for actual credentials increases the speed of brute force attacks
-          // if the database is ever compromised
-          work: self.options.insecurePasswords ? 0.01 : 1
+        self.pw = passwordHash({
+          error(s) {
+            return self.apos.error('invalid', s);
+          },
+          scrypt: self.options.scrypt
         });
       },
 

package/modules/@apostrophecms/user/lib/password-hash.js

@@ -0,0 +1,122 @@
+// Password hashing based on scrypt, per:
+// https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
+//
+// Also includes legacy support for pbkdf2 passwords.
+//
+// Adapted from the "credential" and "credentials" modules,
+// which were also released under the MIT license.
+
+const util = require('util');
+const crypto = require('crypto');
+
+const scrypt = util.promisify(crypto.scrypt);
+const pbkdf2 = util.promisify(crypto.pbkdf2);
+const randomBytes = util.promisify(crypto.randomBytes);
+const timingSafeEqual = crypto.timingSafeEqual;
+
+function getScryptOptions(options) {
+  const result = {
+    cost: 131072,
+    parallelization: 1,
+    blockSize: 8,
+    ...options
+  };
+  // Per https://github.com/nodejs/node/issues/21524
+  // Without this the parameters are rejected as soon as we
+  // exceed the default cost of 16384
+  result.maxmem = 128 * result.parallelization * result.blockSize + 128 * (2 + result.cost) * result.blockSize;
+  return result;
+}
+
+configure.hash = hash;
+configure.verify = verify;
+
+module.exports = configure;
+
+function configure(opts) {
+  opts = {
+    keyLength: 64,
+    ...opts,
+    scrypt: getScryptOptions(opts.scrypt)
+  };
+  return {
+    hash: password => hash(password, opts),
+    verify: (stored, input) => verify(stored, input, opts)
+  };
+}
+
+async function hash(password, opts) {
+  const { keyLength } = opts;
+
+  if (typeof password !== 'string' || password.length === 0) {
+    throw opts.error('Password must be a non-empty string.');
+  }
+
+  const salt = await randomBytes(keyLength);
+  const hash = await scrypt(password, salt, keyLength, opts.scrypt);
+
+  return JSON.stringify({
+    hashMethod: 'scrypt',
+    salt: salt.toString('base64'),
+    hash: hash.toString('base64'),
+    keyLength,
+    scrypt: opts.scrypt
+  });
+}
+
+async function verify(stored, input, opts) {
+  const parsed = parse(stored);
+
+  const {
+    hashMethod, keyLength, salt, hash: hashA
+  } = parse(stored);
+
+  if (typeof input !== 'string' || input.length === 0) {
+    throw opts.error('Input password must be a non-empty string.');
+  }
+  if (!hashMethod) {
+    throw opts.error('Couldn\'t parse stored hash.');
+  }
+  let hashB;
+  if (hashMethod === 'scrypt') {
+    // Use scrypt as a more modern but also safely portable
+    // solution in Node.js
+    const { scrypt: scryptOptions } = parsed;
+    // Calculate maxmem to make sure we still have the resources
+    // if this password was hashed with a higher cost factor
+    // than the one we are using for new passwords
+    hashB = await scrypt(input, salt, keyLength, getScryptOptions(scryptOptions));
+  } else {
+    // Support existing pbkdf2 hashes from credentials module
+    const { iterations } = parsed;
+    const dfn = hashMethod.slice(0, 6);
+    const hfn = hashMethod.slice(7) || 'sha1';
+    if (dfn !== 'pbkdf2') {
+      throw opts.error('Unsupported key derivation function');
+    }
+    if (![ 'sha1', 'sha512' ].includes(hfn)) {
+      throw opts.error('Unsupported hash function');
+    }
+    hashB = await pbkdf2(input, salt, iterations, keyLength, hfn);
+  }
+  const equal = timingSafeEqual(hashA, hashB);
+  if (equal && (hashMethod !== 'scrypt')) {
+    // Modernize legacy hashes on next login
+    return hash(input, opts);
+  } else {
+    return equal;
+  }
+}
+
+function parse(stored) {
+  try {
+    const parsed = JSON.parse(stored);
+    return {
+      ...parsed,
+      salt: Buffer.from(parsed.salt, 'base64'),
+      hash: Buffer.from(parsed.hash, 'base64')
+    };
+  } catch (err) {
+    return {};
+  }
+}

package/modules/@apostrophecms/widget-type/index.js

@@ -100,7 +100,11 @@ module.exports = {
     neverLoadSelf: true,
     initialModal: true,
     placeholder: false,
-    placeholderClass: 'apos-placeholder'
+    placeholderClass: 'apos-placeholder',
+    // two-thirds, half or full:
+    width: '',
+    // left or right:
+    origin: 'right'
   },
   init(self) {
     const badFieldName = Object.keys(self.fields).indexOf('type') !== -1;
@@ -400,7 +404,9 @@ module.exports = {
           contextual: self.options.contextual,
           placeholderClass: self.options.placeholderClass,
           className: self.options.className,
-          components: self.options.components
+          components: self.options.components,
+          width: self.options.width,
+          origin: self.options.origin
         });
         return result;
       }

package/modules/@apostrophecms/widget-type/ui/apos/components/AposWidgetEditor.vue

@@ -92,6 +92,8 @@ export default {
   },
   emits: [ 'safe-close', 'modal-result' ],
   data() {
+    const moduleOptions = window.apos.modules[apos.area.widgetManagers[this.type]];
+
     return {
       id: this.value && this.value._id,
       original: null,
@@ -103,6 +105,8 @@ export default {
         title: this.editLabel,
         active: false,
         type: 'slide',
+        width: moduleOptions.width,
+        origin: moduleOptions.origin,
         showModal: false
       },
       triggerValidation: false
@@ -218,9 +222,3 @@ export default {
   }
 };
 </script>
-
-<style lang="scss" scoped>
-  .apos-widget-editor ::v-deep .apos-modal__inner {
-    max-width: 458px;
-  }
-</style>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "apostrophe",
-  "version": "3.63.3",
+  "version": "3.65.0",
   "description": "The Apostrophe Content Management System.",
   "main": "index.js",
   "scripts": {
@@ -31,6 +31,7 @@
   "author": "Apostrophe Technologies, Inc.",
   "license": "MIT",
   "dependencies": {
+    "@apostrophecms/emulate-mongo-3-driver": "^1.0.2",
     "@apostrophecms/vue-color": "^2.8.2",
     "@opentelemetry/api": "^1.0.4",
     "@opentelemetry/semantic-conventions": "^1.0.1",
@@ -74,11 +75,10 @@
     "cheerio": "^1.0.0-rc.10",
     "chokidar": "^3.5.2",
     "common-tags": "^1.8.0",
-    "connect-mongo": "^3.0.0",
+    "connect-mongo": "^5.1.0",
     "connect-multiparty": "^2.1.1",
     "cookie-parser": "^1.4.5",
     "cors": "^2.8.5",
-    "credentials": "^3.0.2",
     "css-loader": "^5.2.4",
     "cuid": "^2.1.8",
     "dayjs": "^1.9.8",
@@ -104,7 +104,6 @@
     "mini-css-extract-plugin": "^1.6.0",
     "minimatch": "^3.0.4",
     "mkdirp": "^0.5.5",
-    "mongodb": "^3.6.6",
     "node-fetch": "^2.6.1",
     "nodemailer": "^6.6.1",
     "nunjucks": "^3.2.1",

package/test/password-hash.js

@@ -0,0 +1,56 @@
+const assert = require('assert');
+const passwordHash = require('../modules/@apostrophecms/user/lib/password-hash.js');
+
+const legacyHash = '{"hashMethod":"pbkdf2-sha512","salt":"JEB7TX4iOky4kWy+1xsGlN0u7GpEtEoUxmRzaf0Oi35A5j9ynYZfT1Lk4JofBz5nbAHD4HoMqQnevltTLd4Hbw==","hash":"aFM6axOnaPiwNGly7NsfYEvFHEv1ML4lNyi2nEz95tudK1/M1PUlMbtxujZ+W1Gv8Q2mHh7KnL6Ql94OOL8S0g==","keyLength":64,"iterations":4449149,"credentials3":true}';
+
+describe('password-hash', function() {
+  it('can hash a password', async function() {
+    const instance = getInstance();
+    const hash = await instance.hash('test one');
+    assert(hash);
+  });
+  it('can verify a correct password', async function() {
+    const instance = getInstance();
+    const hash = await instance.hash('test one');
+    assert(await instance.verify(hash, 'test one'));
+  });
+  it('cannot verify an incorrect password', async function() {
+    const instance = getInstance();
+    const hash = await instance.hash('test one');
+    assert(!await instance.verify(hash, 'test two'));
+  });
+  it('hash does not contain password and uses scrypt with parameters', async function() {
+    const instance = getInstance();
+    const hash = JSON.parse(await instance.hash('test one'));
+    assert(!JSON.stringify(hash).includes('test one'));
+    assert.strictEqual(hash.hashMethod, 'scrypt');
+    assert(hash.scrypt);
+    assert.strictEqual(hash.scrypt.cost, 131072);
+    assert.strictEqual(hash.scrypt.blockSize, 8);
+    assert.strictEqual(hash.scrypt.parallelization, 1);
+  });
+  it('can verify and modernize a legacy pbkdf2 password hash', async function() {
+    this.timeout(10000);
+    const instance = getInstance();
+    const hash = await instance.verify(legacyHash, 'test-password');
+    assert(hash);
+    assert.strictEqual(typeof hash, 'string');
+    const data = JSON.parse(hash);
+    assert.strictEqual(data.hashMethod, 'scrypt');
+    assert.strictEqual(await instance.verify(hash, 'test-password'), true);
+    assert.strictEqual(await instance.verify(hash, 'bogus-password'), false);
+  });
+  it('can reject a bad password for a legacy pbkdf2 hash', async function() {
+    this.timeout(10000);
+    const instance = getInstance();
+    assert(!await instance.verify(legacyHash, 'bad-password'));
+  });
+});
+
+function getInstance() {
+  return passwordHash({
+    error(s) {
+      return new Error(s);
+    }
+  });
+}

package/test/users.js

@@ -99,7 +99,7 @@ describe('Users', function() {
     }
   });
 
-  it('should verify a user password created with former credential package', async function() {
+  it('should verify a user password created with former credential package and also upgrade the hash', async function() {
     const req = apos.task.getReq();
     const user = apos.user.newInstance();
 
@@ -115,9 +115,25 @@ describe('Users', function() {
     const oldPasswordHashSimulated =
       '{"hash":"/1GntJjtkMY1iPmQY1gn9f3bOZ5tb2qFL+x4qsDerZq2JL8+12TERR4/xqh246wBb+QJwwIRsF/6E+eccshsLxT/","salt":"GJHukLNaG6xDgdIpxVOpqV7xQLQM7e5xnhDW7oaUOe7mTicr7Ca76M4uUJalN/cQ68CE9O7yXZ5WJOz4RN/udcX0","keyLength":66,"hashMethod":"pbkdf2","iterations":2853053}';
 
-    await apos.user.safe.update({ username: 'olduser' }, { $set: { passwordHash: oldPasswordHashSimulated } });
+    await apos.user.safe.updateOne({ username: 'olduser' }, { $set: { passwordHash: oldPasswordHashSimulated } });
     await apos.user.verifyPassword(user, 'passwordThatWentThroughOldCredentialPackageHashing');
-    await apos.user.safe.remove({ username: 'olduser' });
+
+    // verifyPassword now upgrades legacy hashes on next use, e.g.
+    // the next time it is possible because the password is known
+    const newHash = JSON.parse((await apos.user.safe.findOne({
+      username: 'olduser'
+    })).passwordHash);
+    assert.strictEqual(newHash.hashMethod, 'scrypt');
+    // Confirm the modernized end result is still verifiable with the old password
+    await apos.user.verifyPassword(user, 'passwordThatWentThroughOldCredentialPackageHashing');
+    try {
+      // ... And not with a bogus one
+      await apos.user.verifyPassword(user, 'bogus');
+      assert(false);
+    } catch (e) {
+      // Good
+    }
+    await apos.user.safe.removeOne({ username: 'olduser' });
   });
 
   it('should not be able to insert a new user if their email already exists', async function() {