argon2 support #308
Loading…
Reference in a new issue
No description provided.
Delete branch "argon2"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Passwords will be automatically re-hashed on sign-in.
All new password hashes will be argon2 by default.
This uses argon2id and is not configurable (mostly since it's the default and I couldn't be bothered).
In the very unlikely case someone has more specific needs (e.g wants the additional resistance to side-channel attacks from using pure argon2i, or is worried about gpu attacks and wants to use argon2d), a fork is recommended (since there are many other parts of the codebase that would need significant modification).
Due to the change in attitude towards configurability, it's recommended this be squash-merged.
ChangeLog: Added
@ -69,6 +69,11 @@ export default async (ctx: Koa.Context) => {// Compare passwordconst same = await comparePassword(password, profile.password!);if (same && isOldAlgorithm(profile.password!)) {I'm not sure if putting this here before potential other checks doesn't make it susceptible to timing attacks?
sameis a static check and short circuits.If
sameis true, the login would already be successful.The only difference in timing would be in case of successful validation, in which case it's also static except for ONE time when the hash is updated (and it's already updated by the time you can figure that out).
sameis a static check and short circuits.If
sameis true, the login would already be successful.The only difference in timing would be in case of successful validation, in which case it's also static except for ONE time when the hash is updated (and it's already updated by the time you can figure that out).
Other than the comment above seems fine to me.