Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(security): RN-1303: Update password storage to use argon2 #5872

Open
wants to merge 24 commits into
base: dev
Choose a base branch
from
Open

feat(security): RN-1303: Update password storage to use argon2 #5872

wants to merge 24 commits into from

Conversation

tcaiger
Copy link
Contributor

@tcaiger tcaiger commented Sep 3, 2024
edited
Loading

Issue #: feat(security): RN-1303: Update password storage

Changes:

  • Install @node-rs/argon2 in auth package
  • Update encryptPassword and hashAndSaltPassword helper functions to use argon2 hashing
  • Refactor encryptPassword through out the mono repo to be async
  • Add verifyPassword helper to verify argon2 password hashes
  • Refactor authentication code throughout the mono repo to use verifyPassword instead of checking sha256 hashes
  • Add migration to hash all existing passwords with argon2
  • Update User checkPassword method to first check for argon2 hashes and then check for migrated passwords that are hashed with both sha256 and argon2

@tcaiger tcaiger changed the title feat(security): RN-1303: Update password storage feat(security): RN-1303: Update password storage to use argon2 Sep 6, 2024
rohan-bes
rohan-bes approved these changes Sep 20, 2024
View reviewed changes
Copy link
Collaborator

@rohan-bes rohan-bes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this all checks out, nice work @tcaiger 🙏

packages/central-server/src/apiV2/changePassword.js Outdated Show resolved Hide resolved
packages/web-config-server/src/authSession/getUserFromAuthHeader.js Outdated Show resolved Hide resolved
packages/database/src/modelClasses/User.js Show resolved Hide resolved
passcod
passcod requested changes Sep 29, 2024
View reviewed changes
packages/auth/src/passwordEncryption.js Outdated Show resolved Hide resolved
@tcaiger
Copy link
Contributor Author

tcaiger commented Oct 3, 2024

@rohan and @passcod thanks for the reviews. One more small question, do you think there is any value or need to keep track of which users have been migrated to the new algorithm on login? In case we ever wanted to remove the sha256EncryptPassword step on login. We could add a isMigrated flag or something?!

@passcod
Copy link
Member

passcod commented Oct 3, 2024

oh because you try sha256 by fallback.

standard password hashes look like this:

$argon2id$v=19$m=16,t=2,p=1$V2dGZlpObzNGUmdGQ1RjWA$CP3pnsx4wqpWWIs6gUH20g

instead of using a fallback, we could do the migration such that it goes

(await hash(old)).replace("$argon2id$", "$argon2id+sha$")

then that both provides an early switch instead of a fallback logic, and keeps track of remaining oldhashed users

@passcod
Copy link
Member

passcod commented Oct 3, 2024

Alternatively, set a new field sure

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rohan-bes rohan-bes rohan-bes approved these changes

@passcod passcod passcod approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tcaiger @passcod @rohan-bes