-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[frontend] Adding the use of Argon2id for password hashing #978
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please also rebase this PR so that it has no more conflicts ?
7a1d91b
to
4535ad0
Compare
Rebase on 2e692aa. |
error = True | ||
msg = _("Incorrect old password.") | ||
return result, msg, error | ||
user = self.user_manager.auth_user(self.user_manager.session_username(), data["oldpasswd"], False) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm a little bit confused with prior code already, but can you confirm that a user with no password (registered through social networks for instance) can actually set a password to use password authentication ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They can now. I changed the structure for handling user password change in this PR. Tell me if your ok with it.
Argon2 has a method to check if a hash and a password correspond. You can't rehash the password and compare the two hashes because argon uses a random salt when not given.
…e other hashing function This will allow to change easily the type of hashing algorithm used for passwords in database.
… algorithm instead of all of them
4e2bf89
to
8990512
Compare
Rebase on e2de1c3. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. I'd recommend moving the latest_method
prepending into the hash_password
method as suggested, to keep the same behaviour for sha512 when saved, and to avoid repeating the identifier in the hashing method itself.
I let you test and confirm this is OK for you and then we'll be able to merge.
Done |
Related to issue #358
This pull request contains changes regarding multiple elements :
Password hashes with argon2id are now stored in the database using a prepend "argon2id-" to allow future changes.