feat: integrate passwap for human user password hashing (#6196)

* feat: use passwap for human user passwords * fix tests * passwap config * add the event mapper * cleanup query side and api * solve linting errors * regression test * try to fix linter errors again * pass systemdefaults into externalConfigChange migration * fix: user password set in auth view * pin passwap v0.2.0 * v2: validate hashed password hash based on prefix * resolve remaining comments * add error tag and translation for unsupported hash encoding * fix unit test --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 05:17:33 +00:00 · 2023-07-14 09:49:57 +03:00
parent 6fcfa63f54
commit 4589ddad4a
56 changed files with 1853 additions and 775 deletions
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@@ -356,6 +356,51 @@ SystemDefaults:
    PasswordSaltCost: 14
    MachineKeySize: 2048
    ApplicationKeySize: 2048
+  PasswordHasher:
+  # Set hasher configuration for user passwords.
+  # Passwords previously hashed with a different algorithm
+  # or cost are automatically re-hashed using this config,
+  # upon password validation or update.
+    Hasher:
+      Algorithm: "bcrypt"
+      Cost: 14
+
+    # Other supported Hasher configs:
+
+    # Hasher:
+    #   Algorithm: "argon2i"
+    #   Time: 3
+    #   Memory: 32768
+    #   Threads: 4
+
+    # Hasher:
+    #   Algorithm: "argon2id"
+    #   Time: 1
+    #   Memory: 65536
+    #   Threads: 4
+
+    # Hasher:
+    #   Algorithm: "scrypt"
+    #   Cost: 15
+    
+    # Verifiers enable the possibility of verifying
+    # passwords that are previously hashed using another
+    # algorithm then the Hasher.
+    # This can be used when migrating from one algorithm to another,
+    # or when importing users with hashed passwords.
+    # There is no need to enable a Verifier of the same algorithm
+    # as the Hasher.
+    #
+    # The format of the encoded hash strings must comply
+    # with https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md
+    # https://passlib.readthedocs.io/en/stable/modular_crypt_format.html
+    #
+    # Supported verifiers: (uncomment to enable)
+    # Verifiers:
+    #   - "argon2" # verifier for both argon2i and argon2id.
+    #   - "bcrypt"
+    #   - "md5"
+    #   - "scrypt"
  Multifactors:
    OTP:
      # If this is empty, the issuer is the requested domain