Merge branch 'argon2' into 'develop'
Support and convert argon2 passwords See merge request pleroma/pleroma!4257
This commit is contained in:
commit
20e82c7456
5 changed files with 38 additions and 0 deletions
1
changelog.d/argon2-passwords.add
Normal file
1
changelog.d/argon2-passwords.add
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Added support for argon2 passwords and their conversion for migration from Akkoma fork to upstream.
|
|
@ -47,6 +47,11 @@ def checkpw(password, "$pbkdf2" <> _ = password_hash) do
|
||||||
Pleroma.Password.Pbkdf2.verify_pass(password, password_hash)
|
Pleroma.Password.Pbkdf2.verify_pass(password, password_hash)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def checkpw(password, "$argon2" <> _ = password_hash) do
|
||||||
|
# Handle argon2 passwords for Akkoma migration
|
||||||
|
Argon2.verify_pass(password, password_hash)
|
||||||
|
end
|
||||||
|
|
||||||
def checkpw(_password, _password_hash) do
|
def checkpw(_password, _password_hash) do
|
||||||
Logger.error("Password hash not recognized")
|
Logger.error("Password hash not recognized")
|
||||||
false
|
false
|
||||||
|
@ -56,6 +61,10 @@ def maybe_update_password(%User{password_hash: "$2" <> _} = user, password) do
|
||||||
do_update_password(user, password)
|
do_update_password(user, password)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def maybe_update_password(%User{password_hash: "$argon2" <> _} = user, password) do
|
||||||
|
do_update_password(user, password)
|
||||||
|
end
|
||||||
|
|
||||||
def maybe_update_password(user, _), do: {:ok, user}
|
def maybe_update_password(user, _), do: {:ok, user}
|
||||||
|
|
||||||
defp do_update_password(user, password) do
|
defp do_update_password(user, password) do
|
||||||
|
|
1
mix.exs
1
mix.exs
|
@ -203,6 +203,7 @@ defp deps do
|
||||||
{:websock_adapter, "~> 0.5.6"},
|
{:websock_adapter, "~> 0.5.6"},
|
||||||
{:oban_live_dashboard, "~> 0.1.1"},
|
{:oban_live_dashboard, "~> 0.1.1"},
|
||||||
{:multipart, "~> 0.4.0", optional: true},
|
{:multipart, "~> 0.4.0", optional: true},
|
||||||
|
{:argon2_elixir, "~> 4.0"},
|
||||||
|
|
||||||
## dev & test
|
## dev & test
|
||||||
{:phoenix_live_reload, "~> 1.3.3", only: :dev},
|
{:phoenix_live_reload, "~> 1.3.3", only: :dev},
|
||||||
|
|
1
mix.lock
1
mix.lock
|
@ -1,5 +1,6 @@
|
||||||
%{
|
%{
|
||||||
"accept": {:hex, :accept, "0.3.5", "b33b127abca7cc948bbe6caa4c263369abf1347cfa9d8e699c6d214660f10cd1", [:rebar3], [], "hexpm", "11b18c220bcc2eab63b5470c038ef10eb6783bcb1fcdb11aa4137defa5ac1bb8"},
|
"accept": {:hex, :accept, "0.3.5", "b33b127abca7cc948bbe6caa4c263369abf1347cfa9d8e699c6d214660f10cd1", [:rebar3], [], "hexpm", "11b18c220bcc2eab63b5470c038ef10eb6783bcb1fcdb11aa4137defa5ac1bb8"},
|
||||||
|
"argon2_elixir": {:hex, :argon2_elixir, "4.0.0", "7f6cd2e4a93a37f61d58a367d82f830ad9527082ff3c820b8197a8a736648941", [:make, :mix], [{:comeonin, "~> 5.3", [hex: :comeonin, repo: "hexpm", optional: false]}, {:elixir_make, "~> 0.6", [hex: :elixir_make, repo: "hexpm", optional: false]}], "hexpm", "f9da27cf060c9ea61b1bd47837a28d7e48a8f6fa13a745e252556c14f9132c7f"},
|
||||||
"bandit": {:hex, :bandit, "1.5.5", "df28f1c41f745401fe9e85a6882033f5f3442ab6d30c8a2948554062a4ab56e0", [:mix], [{:hpax, "~> 0.2.0", [hex: :hpax, repo: "hexpm", optional: false]}, {:plug, "~> 1.14", [hex: :plug, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}, {:thousand_island, "~> 1.0", [hex: :thousand_island, repo: "hexpm", optional: false]}, {:websock, "~> 0.5", [hex: :websock, repo: "hexpm", optional: false]}], "hexpm", "f21579a29ea4bc08440343b2b5f16f7cddf2fea5725d31b72cf973ec729079e1"},
|
"bandit": {:hex, :bandit, "1.5.5", "df28f1c41f745401fe9e85a6882033f5f3442ab6d30c8a2948554062a4ab56e0", [:mix], [{:hpax, "~> 0.2.0", [hex: :hpax, repo: "hexpm", optional: false]}, {:plug, "~> 1.14", [hex: :plug, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}, {:thousand_island, "~> 1.0", [hex: :thousand_island, repo: "hexpm", optional: false]}, {:websock, "~> 0.5", [hex: :websock, repo: "hexpm", optional: false]}], "hexpm", "f21579a29ea4bc08440343b2b5f16f7cddf2fea5725d31b72cf973ec729079e1"},
|
||||||
"base62": {:hex, :base62, "1.2.2", "85c6627eb609317b70f555294045895ffaaeb1758666ab9ef9ca38865b11e629", [:mix], [{:custom_base, "~> 0.2.1", [hex: :custom_base, repo: "hexpm", optional: false]}], "hexpm", "d41336bda8eaa5be197f1e4592400513ee60518e5b9f4dcf38f4b4dae6f377bb"},
|
"base62": {:hex, :base62, "1.2.2", "85c6627eb609317b70f555294045895ffaaeb1758666ab9ef9ca38865b11e629", [:mix], [{:custom_base, "~> 0.2.1", [hex: :custom_base, repo: "hexpm", optional: false]}], "hexpm", "d41336bda8eaa5be197f1e4592400513ee60518e5b9f4dcf38f4b4dae6f377bb"},
|
||||||
"bbcode_pleroma": {:hex, :bbcode_pleroma, "0.2.0", "d36f5bca6e2f62261c45be30fa9b92725c0655ad45c99025cb1c3e28e25803ef", [:mix], [{:nimble_parsec, "~> 0.5", [hex: :nimble_parsec, repo: "hexpm", optional: false]}], "hexpm", "19851074419a5fedb4ef49e1f01b30df504bb5dbb6d6adfc135238063bebd1c3"},
|
"bbcode_pleroma": {:hex, :bbcode_pleroma, "0.2.0", "d36f5bca6e2f62261c45be30fa9b92725c0655ad45c99025cb1c3e28e25803ef", [:mix], [{:nimble_parsec, "~> 0.5", [hex: :nimble_parsec, repo: "hexpm", optional: false]}], "hexpm", "19851074419a5fedb4ef49e1f01b30df504bb5dbb6d6adfc135238063bebd1c3"},
|
||||||
|
|
|
@ -70,6 +70,24 @@ test "with a bcrypt hash, it updates to a pkbdf2 hash", %{conn: conn} do
|
||||||
assert "$pbkdf2" <> _ = user.password_hash
|
assert "$pbkdf2" <> _ = user.password_hash
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "with an argon2 hash, it updates to a pkbdf2 hash", %{conn: conn} do
|
||||||
|
user = insert(:user, password_hash: Argon2.hash_pwd_salt("123"))
|
||||||
|
assert "$argon2" <> _ = user.password_hash
|
||||||
|
|
||||||
|
conn =
|
||||||
|
conn
|
||||||
|
|> assign(:auth_user, user)
|
||||||
|
|> assign(:auth_credentials, %{password: "123"})
|
||||||
|
|> AuthenticationPlug.call(%{})
|
||||||
|
|
||||||
|
assert conn.assigns.user.id == conn.assigns.auth_user.id
|
||||||
|
assert conn.assigns.token == nil
|
||||||
|
assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)
|
||||||
|
|
||||||
|
user = User.get_by_id(user.id)
|
||||||
|
assert "$pbkdf2" <> _ = user.password_hash
|
||||||
|
end
|
||||||
|
|
||||||
describe "checkpw/2" do
|
describe "checkpw/2" do
|
||||||
test "check pbkdf2 hash" do
|
test "check pbkdf2 hash" do
|
||||||
hash =
|
hash =
|
||||||
|
@ -86,6 +104,14 @@ test "check bcrypt hash" do
|
||||||
refute AuthenticationPlug.checkpw("password1", hash)
|
refute AuthenticationPlug.checkpw("password1", hash)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "check argon2 hash" do
|
||||||
|
hash =
|
||||||
|
"$argon2id$v=19$m=65536,t=8,p=2$zEMMsTuK5KkL5AFWbX7jyQ$VyaQD7PF6e9btz0oH1YiAkWwIGZ7WNDZP8l+a/O171g"
|
||||||
|
|
||||||
|
assert AuthenticationPlug.checkpw("password", hash)
|
||||||
|
refute AuthenticationPlug.checkpw("password1", hash)
|
||||||
|
end
|
||||||
|
|
||||||
test "it returns false when hash invalid" do
|
test "it returns false when hash invalid" do
|
||||||
hash =
|
hash =
|
||||||
"psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1"
|
"psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1"
|
||||||
|
|
Loading…
Reference in a new issue