-
Notifications
You must be signed in to change notification settings - Fork 6.2k
fix: use sufficient computational effort for password hash #3422
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
72d281f to
1c4a557
Compare
Codecov Report
@@ Coverage Diff @@ ## main #3422 +/- ## ========================================== + Coverage 59.21% 60.53% +1.32% ========================================== Files 35 35 Lines 1709 1784 +75 Branches 379 403 +24 ========================================== + Hits 1012 1080 +68 - Misses 559 562 +3 - Partials 138 142 +4
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
bcrypt!
5672008 to
158865b
Compare
@oxy do you mind taking a look at this today or tomorrow?
9ef6d84 to
cc6e284
Compare
9316f61 to
56b413a
Compare
@oxy
oxy
left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
argon2 is a stronger algorithm but bcrypt is also alright - though I'm still a little confused about how you're handling authentication, what hashedPassword is used for with the cookie, and how/if we compare against bcrypt passwords in the auth route itself.
56b413a to
8f45524
Compare
Notes:
- merge in PR (try argon2)
- write tests for router (testing one level up from hashing) - make an issue
- add token exchange -> make an issue
- rewrite other parts if needed? -> add to 3
886ed21 to
d929ea4
Compare
20786db to
6d240a0
Compare
@oxy do you mind taking a look at the security warnings/errors flagged by CodeQL? I know we plan to fix most of these in a follow-up PR but want to make sure my code isn't introducing anything you would flag: https://github.com/cdr/code-server/pull/3422/checks?check_run_id=2749748946
6d240a0 to
cf2a570
Compare
This uses argon2 instead of bcrypt. Note: this means the hash functions are now async which means we have to refactor a lot of other code around auth.
Since the hash and isHashMatch are now async, I had to update the tests accordingly. Now everything is working.
This adds the proper await logic for the hashing of passwords.
Since this checks if they are authenticated using the hash/password and it's async, we need to update authenticated to be async, which means we have to update it everywhere it's used.
There was a case with the hashed-password which had multiple equal signs in the value and it wasn't being parsed correctly. This uses a new function and adds a few tests.
This is necessary due to argon2 being added and an upstream issue where it uses a Linux build that is too new for CentOS 7.
c6c5f3f to
4e074f8
Compare
Removed the docs as requested! Ready for another review
4e074f8 to
1e55a64
Compare
@oxy
oxy
left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All good! Thanks for sticking through this ❤️
Thanks for sticking through this
Thanks for sharing your security knowledge with me! I feel like I'm slowing becoming more mindful of it thanks to you 😂
Uh oh!
There was an error while loading. Please reload this page.
This PR modifies the underlying algorithm used in the
hashfunction to use sufficient computational effort.Changes
argon2instead ofsha256Screenshots
Using a hashed-password (
sha256)Screen.Recording.2021年06月03日.at.11.37.25.AM.mov
Using a regular password (not hashed)
Screen.Recording.2021年06月03日.at.11.40.37.AM.mov
Using a hashed-password (
argon2)Screen.Recording.2021年06月04日.at.1.46.16.PM.mov
Checklist
CHANGELOG.mdFixes #3381
Follow-up: #3432
Notes
Here is how authentication works in code-server:
image
Link to Excalidraw