Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document password hash additions to documentation. #77

Merged
merged 6 commits into from
Mar 28, 2024
Merged

Document password hash additions to documentation. #77

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
aa4c6ec
fix: add documentation around pepper and secure random configurations.
SandPod Mar 11, 2024
cbb00c4
fix: apply documentation fixes to 1.2 documentation.
SandPod Mar 11, 2024
6947094
Merge branch 'main' into authentication-pepper-documentation
SandPod Mar 19, 2024
a723107
review: warn users for pepper change and remove default value for next.
SandPod Mar 19, 2024
8cee3c2
fix: add migration guide.
SandPod Mar 19, 2024
5c1c697
Merge branch 'main' into authentication-pepper-documentation
SandPod Mar 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions docs/05-concepts/10-authentication/04-providers/01-email.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,3 +121,41 @@ await authController.resetPassword(email, verificationCode, password);
```

After the password has been reset you have to call the `signIn` method to log in. This can be achieved by either letting the user type in the details again or simply chaining the `resetPassword` method and the `singIn` method for a seamless UX.


## Password storage security

Serverpod provides some additional configurable options to provide extra layers of security for stored password hashes.

### Peppering

For an additional layer of security, it is possible to configure a password hash pepper. A pepper is a server-side secret that is added, along with a unique salt, to a password before it is hashed and stored. The pepper makes it harder for an attacker to crack password hashes if they have only gained access to the database.

The (recommended pepper length)[https://www.ietf.org/archive/id/draft-ietf-kitten-password-storage-04.html#name-storage-2] is 32 bytes.

To configure a pepper, set the `emailPasswordPepper` property in the `config/passwords.yaml` file.

```yaml
development:
emailPasswordPepper: 'your-pepper'
```

It is essential to keep the pepper secret and never expose it to the client.

:::warning

If the pepper is changed, all passwords in the database will need to be re-hashed with the new pepper.

:::

### Secure random

Serverpod uses the `dart:math` library to generate random salts for password hashing. By default, if no secure random number generator is available, a cryptographically unsecure random number is used.

It is possible to prevent this fallback by setting the `allowUnsecureRandom` property in the `AuthConfig` to `false`. If the `allowUnsecureRandom` property is false, the server will throw an exception if a secure random number generator is unavailable.

```dart
auth.AuthConfig.set(auth.AuthConfig(
allowUnsecureRandom: false,
));
```
13 changes: 13 additions & 0 deletions docs/12-upgrading/01-upgrade-to-two.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,3 +139,16 @@ and if `result.map((row) => row.toColumnMap())` is used to format the result fro
]
```

## Changes in the authentication module

### Unsecure random disabled by default
The authentication module's default value for allowing unsecure random number generation is now `false`. An exception will be thrown when trying to hash a password if no secure random number generator is available. To preserve the old behavior and enable unsecure random number generation, set the `allowUnsecureRandom` property in the `AuthConfig` to `true`.

```dart
auth.AuthConfig.set(auth.AuthConfig(
allowUnsecureRandom: true,
));
```



36 changes: 36 additions & 0 deletions ...ioned_docs/version-1.2.0/05-concepts/10-authentication/04-providers/01-email.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,3 +121,39 @@ await authController.resetPassword(email, verificationCode, password);
```

After the password has been reset you have to call the `signIn` method to log in. This can be achieved by either letting the user type in the details again or simply chaining the `resetPassword` method and the `singIn` method for a seamless UX.


## Password storage security

Serverpod provides some additional configurable options to provide extra layers of security for stored password hashes.

### Peppering

For an additional layer of security, it is possible to configure a password hash pepper. A pepper is a server-side secret that is added, along with a unique salt, to a password before it is hashed and stored. The pepper makes it harder for an attacker to crack password hashes if they have only gained access to the database.

The (recommended pepper length)[https://www.ietf.org/archive/id/draft-ietf-kitten-password-storage-04.html#name-storage-2] is 32 bytes.

To configure a pepper, set the `emailPasswordPepper` property in the `config/passwords.yaml` file.

```yaml
development:
emailPasswordPepper: 'your-pepper'
```

It is essential to keep the pepper secret and never expose it to the client.

If the pepper is changed, all passwords in the database will need to be re-hashed with the new pepper.

### Secure random

Serverpod uses the `dart:math` library to generate random salts for password hashing. By default, if no secure random number generator is available, a cryptographically unsecure random number is used.

It is possible to prevent this fallback by setting the `allowUnsecureRandom` property in the `AuthConfig` to `false`. If the `allowUnsecureRandom` property is false, the server will throw an exception if a secure random number generator is unavailable.

```dart
auth.AuthConfig.set(auth.AuthConfig(
allowUnsecureRandom: false,
));
```

The default value will change to `false` in Serverpod 2.0.
Loading