Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate to argon2id for storing passwords #564

Open
wants to merge 20 commits into
base: development
Choose a base branch
from
Open

Migrate to argon2id for storing passwords #564

wants to merge 20 commits into from
+659 −37

Commits on Oct 7, 2022

  1. Add argon2 binding for neko

    @tobil4sk
    tobil4sk committed Oct 7, 2022
    Configuration menu
    Copy the full SHA
    5556fac View commit details
    Browse the repository at this point in the history

  2. [argon2] Account for null bytes in neko strings

    @tobil4sk
    tobil4sk committed Oct 7, 2022
    Configuration menu
    Copy the full SHA
    a0b6a18 View commit details
    Browse the repository at this point in the history

  3. Implement argon2id hashing

    @tobil4sk
    tobil4sk committed Oct 7, 2022
    Configuration menu
    Copy the full SHA
    5b26d1d View commit details
    Browse the repository at this point in the history

  4. [earthly] Update to build argon2.ndll

    @tobil4sk
    tobil4sk committed Oct 7, 2022
    Configuration menu
    Copy the full SHA
    a1be3ba View commit details
    Browse the repository at this point in the history

  5. Implement database updating system 

    This allows password to be automatically rehashed if the database is old
    @tobil4sk
    tobil4sk committed Oct 7, 2022
    Configuration menu
    Copy the full SHA
    acda9d3 View commit details
    Browse the repository at this point in the history

  6. [test] Add tests for database updating system

    @tobil4sk
    tobil4sk committed Oct 7, 2022
    Configuration menu
    Copy the full SHA
    1498a92 View commit details
    Browse the repository at this point in the history

  7. Run database update script in SiteDb init for now

    @tobil4sk
    tobil4sk committed Oct 7, 2022
    Configuration menu
    Copy the full SHA
    892b9a9 View commit details
    Browse the repository at this point in the history

  8. Bump server api version to 4.0 

    This is so that we can drop support for submit and register for old
clients, which use 3.0
    @tobil4sk
    tobil4sk committed Oct 7, 2022
    Configuration menu
    Copy the full SHA
    6fe590c View commit details
    Browse the repository at this point in the history

  9. Reject submit and register from old clients 

    This is required to properly migrate away from md5, as old clients
performed hashing on client side.
    @tobil4sk
    tobil4sk committed Oct 7, 2022
    Configuration menu
    Copy the full SHA
    11befe7 View commit details
    Browse the repository at this point in the history

  10. Update server code to use argon2id 

    - Passwords are now hashed on the server, with a salt.

- After the database update has run, for old accounts we are left with
their old md5 hash rehashed using argon2id, so to verify their password,
we hash first using md5 and then rehash with argon2id.
    @tobil4sk
    tobil4sk committed Oct 7, 2022
    Configuration menu
    Copy the full SHA
    2e91d62 View commit details
    Browse the repository at this point in the history

  11. Migrate hash to argon2id when a user logs in 

    This way we can gradually remove the rehashed md5 hashes
    @tobil4sk
    tobil4sk committed Oct 7, 2022
    Configuration menu
    Copy the full SHA
    b76cc59 View commit details
    Browse the repository at this point in the history

  12. [test] Add tests for hash method update on login

    @tobil4sk
    tobil4sk committed Oct 7, 2022
    Configuration menu
    Copy the full SHA
    d19e38f View commit details
    Browse the repository at this point in the history

  13. [test] Ensure failed login doesn't update hash

    @tobil4sk
    tobil4sk committed Oct 7, 2022
    Configuration menu
    Copy the full SHA
    921476e View commit details
    Browse the repository at this point in the history

  14. [test] Ensure that password works after hash update

    @tobil4sk
    tobil4sk committed Oct 7, 2022
    Configuration menu
    Copy the full SHA
    aee9a63 View commit details
    Browse the repository at this point in the history

  15. Add test environment for skeema

    @tobil4sk
    tobil4sk committed Oct 7, 2022
    Configuration menu
    Copy the full SHA
    0ffa12d View commit details
    Browse the repository at this point in the history

  16. Temporarily disable failing test 

    This test results in a request to lib.haxe.org, which does not provide
api version 4.0 yet
    @tobil4sk
    tobil4sk committed Oct 7, 2022
    Configuration menu
    Copy the full SHA
    a3460af View commit details
    Browse the repository at this point in the history

Commits on Nov 26, 2022

  1. Automatically add new table columns 

    This will be done via sql statements for now, because I'm not sure
how to run `skeema push` automatically.
    @tobil4sk
    tobil4sk committed Nov 26, 2022
    Configuration menu
    Copy the full SHA
    2e96da8 View commit details
    Browse the repository at this point in the history

  2. Do not run updates on fresh databases

    @tobil4sk
    tobil4sk committed Nov 26, 2022
    Configuration menu
    Copy the full SHA
    894950a View commit details
    Browse the repository at this point in the history

Commits on Nov 28, 2022

  1. Add missing file close

    @tobil4sk
    tobil4sk committed Nov 28, 2022
    Configuration menu
    Copy the full SHA
    fd4990e View commit details
    Browse the repository at this point in the history

Commits on Nov 29, 2022

  1. Use urandom for salt generation

    @tobil4sk
    tobil4sk committed Nov 29, 2022
    Configuration menu
    Copy the full SHA
    e3b379c View commit details
    Browse the repository at this point in the history