feat: integrate passwap for human user password hashing (#6196)

* feat: use passwap for human user passwords * fix tests * passwap config * add the event mapper * cleanup query side and api * solve linting errors * regression test * try to fix linter errors again * pass systemdefaults into externalConfigChange migration * fix: user password set in auth view * pin passwap v0.2.0 * v2: validate hashed password hash based on prefix * resolve remaining comments * add error tag and translation for unsupported hash encoding * fix unit test --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 21:37:32 +00:00 · 2023-07-14 09:49:57 +03:00
parent 6fcfa63f54
commit 4589ddad4a
56 changed files with 1853 additions and 775 deletions
--- a/internal/domain/human.go
+++ b/internal/domain/human.go
@@ -16,7 +16,7 @@ type Human struct {
 	Username string
 	State    UserState
 	*Password
-	*HashedPassword
+	HashedPassword string
 	*Profile
 	*Email
 	*Phone
@@ -103,10 +103,10 @@ func (u *Human) EnsureDisplayName() {
 	u.DisplayName = u.Username
 }

-func (u *Human) HashPasswordIfExisting(policy *PasswordComplexityPolicy, passwordAlg crypto.HashAlgorithm, onetime bool) error {
+func (u *Human) HashPasswordIfExisting(policy *PasswordComplexityPolicy, hasher *crypto.PasswordHasher, onetime bool) error {
 	if u.Password != nil {
 		u.Password.ChangeRequired = onetime
-		return u.Password.HashPasswordIfExisting(policy, passwordAlg)
+		return u.Password.HashPasswordIfExisting(policy, hasher)
 	}
 	return nil
 }
@@ -115,7 +115,7 @@ func (u *Human) IsInitialState(passwordless, externalIDPs bool) bool {
 	if externalIDPs {
 		return false
 	}
-	return u.Email == nil || !u.IsEmailVerified || !passwordless && (u.Password == nil || u.Password.SecretString == "") && (u.HashedPassword == nil || u.HashedPassword.SecretString == "")
+	return u.Email == nil || !u.IsEmailVerified || !passwordless && (u.Password == nil || u.Password.SecretString == "") && u.HashedPassword == ""
 }

 func NewInitUserCode(generator crypto.Generator) (*InitUserCode, error) {
--- a/internal/domain/human_hashed_password.go
+++ b/internal/domain/human_hashed_password.go
@@ -1,24 +0,0 @@
-package domain
-
-import (
-	"github.com/zitadel/zitadel/internal/crypto"
-	es_models "github.com/zitadel/zitadel/internal/eventstore/v1/models"
-)
-
-type HashedPassword struct {
-	es_models.ObjectRoot
-
-	SecretString string
-	SecretCrypto *crypto.CryptoValue
-}
-
-func NewHashedPassword(password, algorithm string) *HashedPassword {
-	return &HashedPassword{
-		SecretString: password,
-		SecretCrypto: &crypto.CryptoValue{
-			CryptoType: crypto.TypeHash,
-			Algorithm:  algorithm,
-			Crypted:    []byte(password),
-		},
-	}
-}
--- a/internal/domain/human_password.go
+++ b/internal/domain/human_password.go
@@ -12,7 +12,7 @@ type Password struct {
 	es_models.ObjectRoot

 	SecretString   string
-	SecretCrypto   *crypto.CryptoValue
+	EncodedSecret  string
 	ChangeRequired bool
 }

@@ -30,7 +30,7 @@ type PasswordCode struct {
 	NotificationType NotificationType
 }

-func (p *Password) HashPasswordIfExisting(policy *PasswordComplexityPolicy, passwordAlg crypto.HashAlgorithm) error {
+func (p *Password) HashPasswordIfExisting(policy *PasswordComplexityPolicy, hasher *crypto.PasswordHasher) error {
 	if p.SecretString == "" {
 		return nil
 	}
@@ -40,11 +40,11 @@ func (p *Password) HashPasswordIfExisting(policy *PasswordComplexityPolicy, pass
 	if err := policy.Check(p.SecretString); err != nil {
 		return err
 	}
-	secret, err := crypto.Hash([]byte(p.SecretString), passwordAlg)
+	encoded, err := hasher.Hash(p.SecretString)
 	if err != nil {
 		return err
 	}
-	p.SecretCrypto = secret
+	p.EncodedSecret = encoded
 	return nil
 }