feat: integrate passwap for human user password hashing (#6196)

* feat: use passwap for human user passwords * fix tests * passwap config * add the event mapper * cleanup query side and api * solve linting errors * regression test * try to fix linter errors again * pass systemdefaults into externalConfigChange migration * fix: user password set in auth view * pin passwap v0.2.0 * v2: validate hashed password hash based on prefix * resolve remaining comments * add error tag and translation for unsupported hash encoding * fix unit test --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 21:17:32 +00:00 · 2023-07-14 09:49:57 +03:00
parent 6fcfa63f54
commit 4589ddad4a
56 changed files with 1853 additions and 775 deletions
--- a/internal/query/user_password.go
+++ b/internal/query/user_password.go
@@ -15,7 +15,7 @@ import (
 type HumanPasswordReadModel struct {
 	*eventstore.ReadModel

-	Secret               *crypto.CryptoValue
+	EncodedHash          string
 	SecretChangeRequired bool

 	Code                     *crypto.CryptoValue
@@ -26,26 +26,21 @@ type HumanPasswordReadModel struct {
 	UserState domain.UserState
 }

-func (q *Queries) GetHumanPassword(ctx context.Context, orgID, userID string) (passwordHash []byte, algorithm string, err error) {
+func (q *Queries) GetHumanPassword(ctx context.Context, orgID, userID string) (encodedHash string, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

 	if userID == "" {
-		return nil, "", errors.ThrowInvalidArgument(nil, "QUERY-4Mfsf", "Errors.User.UserIDMissing")
+		return "", errors.ThrowInvalidArgument(nil, "QUERY-4Mfsf", "Errors.User.UserIDMissing")
 	}
 	existingPassword, err := q.passwordReadModel(ctx, userID, orgID)
 	if err != nil {
-		return nil, "", errors.ThrowInternal(nil, "QUERY-p1k1n2i", "Errors.User.NotFound")
+		return "", errors.ThrowInternal(nil, "QUERY-p1k1n2i", "Errors.User.NotFound")
 	}
 	if existingPassword.UserState == domain.UserStateUnspecified || existingPassword.UserState == domain.UserStateDeleted {
-		return nil, "", errors.ThrowPreconditionFailed(nil, "QUERY-3n77z", "Errors.User.NotFound")
+		return "", errors.ThrowPreconditionFailed(nil, "QUERY-3n77z", "Errors.User.NotFound")
 	}
-
-	if existingPassword.Secret != nil && existingPassword.Secret.Crypted != nil {
-		return existingPassword.Secret.Crypted, existingPassword.Secret.Algorithm, nil
-	}
-
-	return nil, "", nil
+	return existingPassword.EncodedHash, nil
 }

 func (q *Queries) passwordReadModel(ctx context.Context, userID, resourceOwner string) (readModel *HumanPasswordReadModel, err error) {
@@ -77,11 +72,11 @@ func (wm *HumanPasswordReadModel) Reduce() error {
 	for _, event := range wm.Events {
 		switch e := event.(type) {
 		case *user.HumanAddedEvent:
-			wm.Secret = e.Secret
+			wm.EncodedHash = user.SecretOrEncodedHash(e.Secret, e.EncodedHash)
 			wm.SecretChangeRequired = e.ChangeRequired
 			wm.UserState = domain.UserStateActive
 		case *user.HumanRegisteredEvent:
-			wm.Secret = e.Secret
+			wm.EncodedHash = user.SecretOrEncodedHash(e.Secret, e.EncodedHash)
 			wm.SecretChangeRequired = e.ChangeRequired
 			wm.UserState = domain.UserStateActive
 		case *user.HumanInitialCodeAddedEvent:
@@ -89,7 +84,7 @@ func (wm *HumanPasswordReadModel) Reduce() error {
 		case *user.HumanInitializedCheckSucceededEvent:
 			wm.UserState = domain.UserStateActive
 		case *user.HumanPasswordChangedEvent:
-			wm.Secret = e.Secret
+			wm.EncodedHash = user.SecretOrEncodedHash(e.Secret, e.EncodedHash)
 			wm.SecretChangeRequired = e.ChangeRequired
 			wm.Code = nil
 			wm.PasswordCheckFailedCount = 0
@@ -109,6 +104,8 @@ func (wm *HumanPasswordReadModel) Reduce() error {
 			wm.PasswordCheckFailedCount = 0
 		case *user.UserRemovedEvent:
 			wm.UserState = domain.UserStateDeleted
+		case *user.HumanPasswordHashUpdatedEvent:
+			wm.EncodedHash = e.EncodedHash
 		}
 	}
 	return wm.ReadModel.Reduce()
@@ -139,7 +136,8 @@ func (wm *HumanPasswordReadModel) Query() *eventstore.SearchQueryBuilder {
 			user.UserV1PasswordCodeAddedType,
 			user.UserV1EmailVerifiedType,
 			user.UserV1PasswordCheckFailedType,
-			user.UserV1PasswordCheckSucceededType).
+			user.UserV1PasswordCheckSucceededType,
+			user.UserV1PasswordHashUpdatedType).
 		Builder()

 	if wm.ResourceOwner != "" {