Add support for argon2 password hashing
This commit is contained in:
parent
1121deb078
commit
3c4f8105df
|
@ -10,11 +10,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
|||
- Prometheus metrics exporting from `/api/v1/akkoma/metrics`
|
||||
- Ability to alter http pool size
|
||||
- Translation of statuses via ArgosTranslate
|
||||
- Argon2 password hashing
|
||||
|
||||
### Removed
|
||||
- Non-finch HTTP adapters
|
||||
- Legacy redirect from /api/pleroma/admin to /api/v1/pleroma/admin
|
||||
- Legacy redirects from /api/pleroma to /api/v1/pleroma
|
||||
- :crypt dependency
|
||||
|
||||
### Changed
|
||||
- Return HTTP error 413 when uploading an avatar or banner that's above the configured upload limit instead of a 500.
|
||||
|
|
|
@ -2277,7 +2277,7 @@ defmodule Pleroma.User do
|
|||
defp put_password_hash(
|
||||
%Ecto.Changeset{valid?: true, changes: %{password: password}} = changeset
|
||||
) do
|
||||
change(changeset, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password))
|
||||
change(changeset, password_hash: Argon2.hash_pwd_salt(password))
|
||||
end
|
||||
|
||||
defp put_password_hash(changeset), do: changeset
|
||||
|
|
|
@ -38,10 +38,6 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlug do
|
|||
|
||||
def call(conn, _), do: conn
|
||||
|
||||
def checkpw(password, "$6" <> _ = password_hash) do
|
||||
:crypt.crypt(password, password_hash) == password_hash
|
||||
end
|
||||
|
||||
def checkpw(password, "$2" <> _ = password_hash) do
|
||||
# Handle bcrypt passwords for Mastodon migration
|
||||
Bcrypt.verify_pass(password, password_hash)
|
||||
|
@ -51,6 +47,10 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlug do
|
|||
Pleroma.Password.Pbkdf2.verify_pass(password, password_hash)
|
||||
end
|
||||
|
||||
def checkpw(password, "$argon2" <> _ = password_hash) do
|
||||
Argon2.verify_pass(password, password_hash)
|
||||
end
|
||||
|
||||
def checkpw(_password, _password_hash) do
|
||||
Logger.error("Password hash not recognized")
|
||||
false
|
||||
|
@ -64,6 +64,10 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlug do
|
|||
do_update_password(user, password)
|
||||
end
|
||||
|
||||
def maybe_update_password(%User{password_hash: "$pbkdf2" <> _} = user, password) do
|
||||
do_update_password(user, password)
|
||||
end
|
||||
|
||||
def maybe_update_password(user, _), do: {:ok, user}
|
||||
|
||||
defp do_update_password(user, password) do
|
||||
|
|
4
mix.exs
4
mix.exs
|
@ -143,9 +143,7 @@ defmodule Pleroma.Mixfile do
|
|||
{:sweet_xml, "~> 0.7.2"},
|
||||
{:earmark, "~> 1.4.15"},
|
||||
{:bbcode_pleroma, "~> 0.2.0"},
|
||||
{:crypt,
|
||||
git: "https://github.com/msantos/crypt.git",
|
||||
ref: "f75cd55325e33cbea198fb41fe41871392f8fb76"},
|
||||
{:argon2_elixir, "~> 3.0.0"},
|
||||
{:cors_plug, "~> 2.0"},
|
||||
{:web_push_encryption, "~> 0.3.1"},
|
||||
{:swoosh, "~> 1.0"},
|
||||
|
|
2
mix.lock
2
mix.lock
|
@ -1,4 +1,5 @@
|
|||
%{
|
||||
"argon2_elixir": {:hex, :argon2_elixir, "3.0.0", "fd4405f593e77b525a5c667282172dd32772d7c4fa58cdecdaae79d2713b6c5f", [:make, :mix], [{:comeonin, "~> 5.3", [hex: :comeonin, repo: "hexpm", optional: false]}, {:elixir_make, "~> 0.6", [hex: :elixir_make, repo: "hexpm", optional: false]}], "hexpm", "8b753b270af557d51ba13fcdebc0f0ab27a2a6792df72fd5a6cf9cfaffcedc57"},
|
||||
"base62": {:hex, :base62, "1.2.2", "85c6627eb609317b70f555294045895ffaaeb1758666ab9ef9ca38865b11e629", [:mix], [{:custom_base, "~> 0.2.1", [hex: :custom_base, repo: "hexpm", optional: false]}], "hexpm", "d41336bda8eaa5be197f1e4592400513ee60518e5b9f4dcf38f4b4dae6f377bb"},
|
||||
"bbcode_pleroma": {:hex, :bbcode_pleroma, "0.2.0", "d36f5bca6e2f62261c45be30fa9b92725c0655ad45c99025cb1c3e28e25803ef", [:mix], [{:nimble_parsec, "~> 0.5", [hex: :nimble_parsec, repo: "hexpm", optional: false]}], "hexpm", "19851074419a5fedb4ef49e1f01b30df504bb5dbb6d6adfc135238063bebd1c3"},
|
||||
"bcrypt_elixir": {:hex, :bcrypt_elixir, "2.3.1", "5114d780459a04f2b4aeef52307de23de961b69e13a5cd98a911e39fda13f420", [:make, :mix], [{:comeonin, "~> 5.3", [hex: :comeonin, repo: "hexpm", optional: false]}, {:elixir_make, "~> 0.6", [hex: :elixir_make, repo: "hexpm", optional: false]}], "hexpm", "42182d5f46764def15bf9af83739e3bf4ad22661b1c34fc3e88558efced07279"},
|
||||
|
@ -18,7 +19,6 @@
|
|||
"cowboy_telemetry": {:hex, :cowboy_telemetry, "0.3.1", "ebd1a1d7aff97f27c66654e78ece187abdc646992714164380d8a041eda16754", [:rebar3], [{:cowboy, "~> 2.7", [hex: :cowboy, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "3a6efd3366130eab84ca372cbd4a7d3c3a97bdfcfb4911233b035d117063f0af"},
|
||||
"cowlib": {:hex, :cowlib, "2.11.0", "0b9ff9c346629256c42ebe1eeb769a83c6cb771a6ee5960bd110ab0b9b872063", [:make, :rebar3], [], "hexpm", "2b3e9da0b21c4565751a6d4901c20d1b4cc25cbb7fd50d91d2ab6dd287bc86a9"},
|
||||
"credo": {:git, "https://github.com/rrrene/credo.git", "1c1b99ea41a457761383d81aaf6a606913996fe7", [ref: "1c1b99ea41a457761383d81aaf6a606913996fe7"]},
|
||||
"crypt": {:git, "https://github.com/msantos/crypt.git", "f75cd55325e33cbea198fb41fe41871392f8fb76", [ref: "f75cd55325e33cbea198fb41fe41871392f8fb76"]},
|
||||
"custom_base": {:hex, :custom_base, "0.2.1", "4a832a42ea0552299d81652aa0b1f775d462175293e99dfbe4d7dbaab785a706", [:mix], [], "hexpm", "8df019facc5ec9603e94f7270f1ac73ddf339f56ade76a721eaa57c1493ba463"},
|
||||
"db_connection": {:hex, :db_connection, "2.4.3", "3b9aac9f27347ec65b271847e6baeb4443d8474289bd18c1d6f4de655b70c94d", [:mix], [{:connection, "~> 1.0", [hex: :connection, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "c127c15b0fa6cfb32eed07465e05da6c815b032508d4ed7c116122871df73c12"},
|
||||
"decimal": {:hex, :decimal, "2.0.0", "a78296e617b0f5dd4c6caf57c714431347912ffb1d0842e998e9792b5642d697", [:mix], [], "hexpm", "34666e9c55dea81013e77d9d87370fe6cb6291d1ef32f46a1600230b1d44f577"},
|
||||
|
|
|
@ -52,7 +52,7 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlugTest do
|
|||
assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)
|
||||
end
|
||||
|
||||
test "with a bcrypt hash, it updates to a pkbdf2 hash", %{conn: conn} do
|
||||
test "with a bcrypt hash, it updates to an argon2 hash", %{conn: conn} do
|
||||
user = insert(:user, password_hash: Bcrypt.hash_pwd_salt("123"))
|
||||
assert "$2" <> _ = user.password_hash
|
||||
|
||||
|
@ -67,21 +67,17 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlugTest do
|
|||
assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)
|
||||
|
||||
user = User.get_by_id(user.id)
|
||||
assert "$pbkdf2" <> _ = user.password_hash
|
||||
assert "$argon2" <> _ = user.password_hash
|
||||
end
|
||||
|
||||
@tag :skip_on_mac
|
||||
test "with a crypt hash, it updates to a pkbdf2 hash", %{conn: conn} do
|
||||
user =
|
||||
insert(:user,
|
||||
password_hash:
|
||||
"$6$9psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1"
|
||||
)
|
||||
test "with a pbkdf2 hash, it updates to an argon2 hash", %{conn: conn} do
|
||||
user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("123"))
|
||||
assert "$pbkdf2" <> _ = user.password_hash
|
||||
|
||||
conn =
|
||||
conn
|
||||
|> assign(:auth_user, user)
|
||||
|> assign(:auth_credentials, %{password: "password"})
|
||||
|> assign(:auth_credentials, %{password: "123"})
|
||||
|> AuthenticationPlug.call(%{})
|
||||
|
||||
assert conn.assigns.user.id == conn.assigns.auth_user.id
|
||||
|
@ -89,7 +85,7 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlugTest do
|
|||
assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)
|
||||
|
||||
user = User.get_by_id(user.id)
|
||||
assert "$pbkdf2" <> _ = user.password_hash
|
||||
assert "$argon2" <> _ = user.password_hash
|
||||
end
|
||||
|
||||
describe "checkpw/2" do
|
||||
|
@ -101,14 +97,6 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlugTest do
|
|||
refute AuthenticationPlug.checkpw("test-password1", hash)
|
||||
end
|
||||
|
||||
@tag :skip_on_mac
|
||||
test "check sha512-crypt hash" do
|
||||
hash =
|
||||
"$6$9psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1"
|
||||
|
||||
assert AuthenticationPlug.checkpw("password", hash)
|
||||
end
|
||||
|
||||
test "check bcrypt hash" do
|
||||
hash = "$2a$10$uyhC/R/zoE1ndwwCtMusK.TLVzkQ/Ugsbqp3uXI.CTTz0gBw.24jS"
|
||||
|
||||
|
@ -116,6 +104,12 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlugTest do
|
|||
refute AuthenticationPlug.checkpw("password1", hash)
|
||||
end
|
||||
|
||||
test "check argon2 hash" do
|
||||
hash = "$argon2id$v=19$m=65536,t=8,p=2$zEMMsTuK5KkL5AFWbX7jyQ$VyaQD7PF6e9btz0oH1YiAkWwIGZ7WNDZP8l+a/O171g"
|
||||
assert AuthenticationPlug.checkpw("password", hash)
|
||||
refute AuthenticationPlug.checkpw("password1", hash)
|
||||
end
|
||||
|
||||
test "it returns false when hash invalid" do
|
||||
hash =
|
||||
"psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1"
|
||||
|
|
|
@ -52,7 +52,7 @@ defmodule Pleroma.Factory do
|
|||
name: sequence(:name, &"Test テスト User #{&1}"),
|
||||
email: sequence(:email, &"user#{&1}@example.com"),
|
||||
nickname: sequence(:nickname, &"nick#{&1}"),
|
||||
password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("test"),
|
||||
password_hash: Argon2.hash_pwd_salt("test"),
|
||||
bio: sequence(:bio, &"Tester Number #{&1}"),
|
||||
is_discoverable: true,
|
||||
last_digest_emailed_at: NaiveDateTime.utc_now(),
|
||||
|
|
Loading…
Reference in New Issue