feat: integrate passwap for human user password hashing (#6196)

* feat: use passwap for human user passwords

* fix tests

* passwap config

* add the event mapper

* cleanup query side and api

* solve linting errors

* regression test

* try to fix linter errors again

* pass systemdefaults into externalConfigChange migration

* fix: user password set in auth view

* pin passwap v0.2.0

* v2: validate hashed password hash based on prefix

* resolve remaining comments

* add error tag and translation for unsupported hash encoding

* fix unit test

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>

cmd/defaults.yaml

@@ -356,6 +356,51 @@ SystemDefaults:
     PasswordSaltCost: 14
     MachineKeySize: 2048
     ApplicationKeySize: 2048
+  PasswordHasher:
+  # Set hasher configuration for user passwords.
+  # Passwords previously hashed with a different algorithm
+  # or cost are automatically re-hashed using this config,
+  # upon password validation or update.
+    Hasher:
+      Algorithm: "bcrypt"
+      Cost: 14
+
+    # Other supported Hasher configs:
+
+    # Hasher:
+    #   Algorithm: "argon2i"
+    #   Time: 3
+    #   Memory: 32768
+    #   Threads: 4
+
+    # Hasher:
+    #   Algorithm: "argon2id"
+    #   Time: 1
+    #   Memory: 65536
+    #   Threads: 4
+
+    # Hasher:
+    #   Algorithm: "scrypt"
+    #   Cost: 15
+    
+    # Verifiers enable the possibility of verifying
+    # passwords that are previously hashed using another
+    # algorithm then the Hasher.
+    # This can be used when migrating from one algorithm to another,
+    # or when importing users with hashed passwords.
+    # There is no need to enable a Verifier of the same algorithm
+    # as the Hasher.
+    #
+    # The format of the encoded hash strings must comply
+    # with https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md
+    # https://passlib.readthedocs.io/en/stable/modular_crypt_format.html
+    #
+    # Supported verifiers: (uncomment to enable)
+    # Verifiers:
+    #   - "argon2" # verifier for both argon2i and argon2id.
+    #   - "bcrypt"
+    #   - "md5"
+    #   - "scrypt"
   Multifactors:
     OTP:
       # If this is empty, the issuer is the requested domain

cmd/setup/config_change.go

@@ -17,6 +17,7 @@ type externalConfigChange struct {
 	currentExternalDomain string
 	currentExternalSecure bool
 	currentExternalPort   uint16
+	defaults              systemdefaults.SystemDefaults
 }
 
 func (mig *externalConfigChange) SetLastExecution(lastRun map[string]interface{}) {
@@ -35,7 +36,7 @@ func (mig *externalConfigChange) Check() bool {
 func (mig *externalConfigChange) Execute(ctx context.Context) error {
 	cmd, err := command.StartCommands(
 		mig.es,
-		systemdefaults.SystemDefaults{},
+		mig.defaults,
 		nil,
 		nil,
 		nil,

cmd/setup/setup.go

@@ -104,6 +104,7 @@ func Setup(config *Config, steps *Steps, masterKey string) {
 			ExternalDomain: config.ExternalDomain,
 			ExternalPort:   config.ExternalPort,
 			ExternalSecure: config.ExternalSecure,
+			defaults:       config.SystemDefaults,
 		},
 		&projectionTables{
 			es:      eventstoreClient,