feat: integrate passwap for human user password hashing (#6196)

* feat: use passwap for human user passwords * fix tests * passwap config * add the event mapper * cleanup query side and api * solve linting errors * regression test * try to fix linter errors again * pass systemdefaults into externalConfigChange migration * fix: user password set in auth view * pin passwap v0.2.0 * v2: validate hashed password hash based on prefix * resolve remaining comments * add error tag and translation for unsupported hash encoding * fix unit test --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 01:27:32 +00:00 · 2023-07-14 09:49:57 +03:00
parent 6fcfa63f54
commit 4589ddad4a
56 changed files with 1853 additions and 775 deletions
--- a/internal/api/grpc/user/v2/user.go
+++ b/internal/api/grpc/user/v2/user.go
@@ -48,10 +48,6 @@ func addUserRequestToAddHuman(req *user.AddHumanUserRequest) (*command.AddHuman,
 			return nil, err
 		}
 	}
-	bcryptedPassword, err := hashedPasswordToCommand(req.GetHashedPassword())
-	if err != nil {
-		return nil, err
-	}
 	passwordChangeRequired := req.GetPassword().GetChangeRequired() || req.GetHashedPassword().GetChangeRequired()
 	metadata := make([]*command.AddMetadataEntry, len(req.Metadata))
 	for i, metadataEntry := range req.Metadata {
@@ -85,7 +81,7 @@ func addUserRequestToAddHuman(req *user.AddHumanUserRequest) (*command.AddHuman,
 		Gender:                 genderToDomain(req.GetProfile().GetGender()),
 		Phone:                  command.Phone{}, // TODO: add as soon as possible
 		Password:               req.GetPassword().GetPassword(),
-		BcryptedPassword:       bcryptedPassword,
+		EncodedPasswordHash:    req.GetHashedPassword().GetHash(),
 		PasswordChangeRequired: passwordChangeRequired,
 		Passwordless:           false,
 		Register:               false,
@@ -109,17 +105,6 @@ func genderToDomain(gender user.Gender) domain.Gender {
 	}
 }

-func hashedPasswordToCommand(hashed *user.HashedPassword) (string, error) {
-	if hashed == nil {
-		return "", nil
-	}
-	// we currently only handle bcrypt
-	if hashed.GetAlgorithm() != "bcrypt" {
-		return "", errors.ThrowInvalidArgument(nil, "USER-JDk4t", "Errors.InvalidArgument")
-	}
-	return hashed.GetHash(), nil
-}
-
 func (s *Server) AddIDPLink(ctx context.Context, req *user.AddIDPLinkRequest) (_ *user.AddIDPLinkResponse, err error) {
 	orgID := authz.GetCtxData(ctx).OrgID
 	details, err := s.command.AddUserIDPLink(ctx, req.UserId, orgID, &domain.UserIDPLink{