Users: add a validation step which lets the user's password be a Argon2 hashed sha1 hash.
[?]
Apr 16, 2021, 1:58 PM
HY2SSCWGFZWIEV7KXAEMFDT3OC7DQANSNZCAGHFGGE3VJX4RDAMACDependencies
- [2]
56Q5PJPGUsers: transparently upgrade passwords to Argon2 - [*]
S66BOMVU* Added authentication. - [*]
ASPD4MDNPasswords: check in constant time
Change contents
- edit in src/lib/Hydra/Schema/Users.pm at line 240
return 1;} elsif ($authenticator->verify_password(sha1_hex($password), $self->password)) {# The user's database record has their old password as sha1, re-hashed as Argon2.# Store their password hashed only with Argon2.$self->setPassword($password); - edit in t/Schema/Users.t at line 42[5.1730][5.1730]
# All sha1 passwords will be upgraded when `hydra-init` is run, by passing the sha1 through# Argon2. Verify a rehashed sha1 validates too. This removes very weak password hashes# from the database without requiring users to log in.subtest "Hashing their sha1 as Argon2 still lets them log in with their password" => sub {$user->setPassword("8843d7f92416211de9ebb963ff4ce28125932878"); # SHA1 of "foobar"my $hashedHashPassword = $user->password;isnt($user->password, "8843d7f92416211de9ebb963ff4ce28125932878", "The user has had their password's hash rehashed.");ok($user->check_password("foobar"), "Checking the password, foobar, is still right");isnt($user->password, $hashedHashPassword, "The user's hashed hash was replaced with just Argon2.");};