[frontend] Adding the use of Argon2id for password hashing #978
Conversation
AlexandreDoneux
changed the title
AlexandreDoneux
force-pushed
the
argon2id_hash
branch
from
7a1d91b
to
4535ad0
Compare
|
Rebase on 2e692aa. |
| error = True | ||
| msg = _("Incorrect old password.") | ||
| return result, msg, error | ||
| user = self.user_manager.auth_user(self.user_manager.session_username(), data["oldpasswd"], False) |
There was a problem hiding this comment.
I'm a little bit confused with prior code already, but can you confirm that a user with no password (registered through social networks for instance) can actually set a password to use password authentication ?
There was a problem hiding this comment.
They can now. I changed the structure for handling user password change in this PR. Tell me if your ok with it.
Argon2 has a method to check if a hash and a password correspond. You can't rehash the password and compare the two hashes because argon uses a random salt when not given.
…e other hashing function This will allow to change easily the type of hashing algorithm used for passwords in database.
… algorithm instead of all of them
AlexandreDoneux
force-pushed
the
argon2id_hash
branch
from
4e2bf89
to
8990512
Compare
|
Rebase on e2de1c3. |
There was a problem hiding this comment.
LGTM. I'd recommend moving the latest_method prepending into the hash_password method as suggested, to keep the same behaviour for sha512 when saved, and to avoid repeating the identifier in the hashing method itself.
I let you test and confirm this is OK for you and then we'll be able to merge.
Done |
Related to issue #358
This pull request contains changes regarding multiple elements :
Password hashes with argon2id are now stored in the database using a prepend "argon2id-" to allow future changes.