From fdb3140b8b397b3d3346c12f0fd48fea02827b18 Mon Sep 17 00:00:00 2001
From: "dmit.b" <dmit.b@ayaks-tech.ru>
Date: Thu, 25 Jun 2026 16:53:56 +0300
Subject: [PATCH] remove bcrypt from registration key, use plain string
 comparison

---
 .env.example                |  2 +-
 api.yaml                    |  2 +-
 bin/.env                    |  2 +-
 bin/routes/auth_routes.dart | 14 +++++---------
 4 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/.env.example b/.env.example
index 7e91f5f..5c4484f 100644
--- a/.env.example
+++ b/.env.example
@@ -11,5 +11,5 @@ POSTGRES_USER="user"
 POSTGRES_PASSWORD="pwd"
 # TOKEN_LIFETIME in minutes
 TOKEN_LIFETIME=600
-# Secret key for registration (plaintext, hashed with bcrypt at startup)
+# Secret key for registration (plaintext comparison)
 REGISTRATION_SECRET_KEY=your-registration-key
diff --git a/api.yaml b/api.yaml
index 9617a39..ba78902 100644
--- a/api.yaml
+++ b/api.yaml
@@ -254,7 +254,7 @@ components:
           example: "securePass123"
         secret_key:
           type: string
-          description: Plaintext registration secret key (REGISTRATION_SECRET_KEY from server .env)
+          description: Registration secret key (REGISTRATION_SECRET_KEY from server .env)
           example: "FtracKer*1405."
 
     LoginResponse:
diff --git a/bin/.env b/bin/.env
index 91cc23e..3d48921 100644
--- a/bin/.env
+++ b/bin/.env
@@ -11,5 +11,5 @@ POSTGRES_USER="postgres"
 POSTGRES_PASSWORD="postgres"
 # TOKEN_LIFETIME in minutes
 TOKEN_LIFETIME=600
-# Secret key for registration (plaintext, hashed with bcrypt at startup)
+# Secret key for registration (plaintext comparison)
 REGISTRATION_SECRET_KEY=FtracKer*1405.
\ No newline at end of file
diff --git a/bin/routes/auth_routes.dart b/bin/routes/auth_routes.dart
index a2bb192..e06e372 100644
--- a/bin/routes/auth_routes.dart
+++ b/bin/routes/auth_routes.dart
@@ -12,15 +12,8 @@ import 'dart:io';
 class AuthRoutes {
   final DatabaseProvider database;
   final Map<String, DateTime> _lastRequest = {};
-  final String _registrationKeyHash;
 
-  AuthRoutes(this.database) : _registrationKeyHash = _loadRegistrationKeyHash();
-
-  static String _loadRegistrationKeyHash() {
-    final dotenv = DotEnv();
-    final key = dotenv['REGISTRATION_SECRET_KEY'] ?? '';
-    return BCrypt.hashpw(key, BCrypt.gensalt());
-  }
+  AuthRoutes(this.database);
 
   Router get routes {
     final router = Router();
@@ -119,7 +112,10 @@ class AuthRoutes {
       return response;
     }
 
-    if (!BCrypt.checkpw(secretKey, _registrationKeyHash)) {
+    final envDotenv = DotEnv();
+    final registrationKey = envDotenv['REGISTRATION_SECRET_KEY'] ?? '';
+
+    if (secretKey != registrationKey) {
       stopwatch.stop();
       final response = Response(403, body: jsonEncode({'error': 'Invalid registration key'}), headers: {'Content-Type': 'application/json'});
       logRequest(method: 'POST', url: '/reg', status: 403, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);