fix(defaults): configure hashers via env (#7872)

fix(setup): configure hashers via env Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2025-06-08 13:38:33 +00:00 · 2024-05-08 08:48:26 +02:00 · 2024-05-08 08:48:26 +02:00 · 24a9d7c730
commit 24a9d7c730
parent f3abbad133
1 changed files with 34 additions and 28 deletions
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@ -438,32 +438,25 @@ SystemDefaults:
    # Passwords previously hashed with a different algorithm
    # or cost are automatically re-hashed using this config,
    # upon password validation or update.
+    # Configure the Hasher config by environment variable using JSON notation:
+    # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER='{"Algorithm":"pbkdf2","Rounds":290000,"Hash":"sha256"}'
    Hasher:
-      Algorithm: "bcrypt" # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_ALGORITHM
+      # Supported algorithms: "argon2i", "argon2id", "bcrypt", "scrypt", "pbkdf2"
+      # Depending on the algorithm, different configuration options take effect.
+      Algorithm: bcrypt
+      # Cost takes effect for the algorithms bcrypt and scrypt
      Cost: 14 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_COST
-
-    # Other supported Hasher configs:
-
-    # Hasher:
-    #   Algorithm: "argon2i" # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_ALGORITHM
-    #   Time: 3 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_TIME
-    #   Memory: 32768 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_MEMORY
-    #   Threads: 4 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_THREADS
-
-    # Hasher:
-    #   Algorithm: "argon2id" # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_ALGORITHM
-    #   Time: 1 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_TIME
-    #   Memory: 65536 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_MEMORY
-    #   Threads: 4 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_THREADS
-
-    # Hasher:
-    #   Algorithm: "scrypt" # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_ALGORITHM
-    #   Cost: 15 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_COST
-
-    # Hasher:
-    #   Algorithm: "pbkdf2" # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_ALGORITHM
-    #   Rounds: 290000 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_ROUNDS
-    #   Hash: "sha256" # Can be "sha1", "sha224", "sha256", "sha384" or "sha512" # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_HASH
+      # Time takes effect for the algorithms argon2i and argon2id
+      Time: 3 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_TIME
+      # Memory takes effect for the algorithms argon2i and argon2id
+      Memory: 32768 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_MEMORY
+      # Threads takes effect for the algorithms argon2i and argon2id
+      Threads: 4 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_THREADS
+      # Rounds takes effect for the algorithm pbkdf2
+      Rounds: 290000 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_ROUNDS
+      # Hash takes effect for the algorithm pbkdf2
+      # Can be "sha1", "sha224", "sha256", "sha384" or "sha512"
+      Hash: sha256 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_HASH

    # Verifiers enable the possibility of verifying
    # passwords that are previously hashed using another
@ -478,7 +471,7 @@ SystemDefaults:
    # https://passlib.readthedocs.io/en/stable/modular_crypt_format.html
    #
    # Supported verifiers: (uncomment to enable)
-    Verifiers:
+    Verifiers: # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_VERIFIERS
    #   - "argon2" # verifier for both argon2i and argon2id.
    #   - "bcrypt"
    #   - "md5"
@ -486,11 +479,24 @@ SystemDefaults:
    #   - "pbkdf2" # verifier for all pbkdf2 hash modes.
  SecretHasher:
    # Set hasher configuration for machine users, API and OIDC client secrets.
-    # See PasswordHasher for all possible options
    Hasher:
-      Algorithm: "bcrypt" # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_ALGORITHM
+      # Supported algorithms: "argon2i", "argon2id", "bcrypt", "scrypt", "pbkdf2"
+      # Depending on the algorithm, different configuration options take effect.
+      Algorithm: bcrypt
+      # Cost takes effect for the algorithms bcrypt and scrypt
      Cost: 4 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_COST
-    Verifiers:
+      # Time takes effect for the algorithms argon2i and argon2id
+      Time: 3 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_TIME
+      # Memory takes effect for the algorithms argon2i and argon2id
+      Memory: 32768 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_MEMORY
+      # Threads takes effect for the algorithms argon2i and argon2id
+      Threads: 4 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_THREADS
+      # Rounds takes effect for the algorithm pbkdf2
+      Rounds: 290000 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_ROUNDS
+      # Hash takes effect for the algorithm pbkdf2
+      # Can be "sha1", "sha224", "sha256", "sha384" or "sha512"
+      Hash: sha256 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_HASH
+    Verifiers: # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_VERIFIERS
  Multifactors:
    OTP:
      # If this is empty, the issuer is the requested domain