feat: integrate passwap for human user password hashing (#6196)

* feat: use passwap for human user passwords * fix tests * passwap config * add the event mapper * cleanup query side and api * solve linting errors * regression test * try to fix linter errors again * pass systemdefaults into externalConfigChange migration * fix: user password set in auth view * pin passwap v0.2.0 * v2: validate hashed password hash based on prefix * resolve remaining comments * add error tag and translation for unsupported hash encoding * fix unit test --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 01:37:31 +00:00 · 2023-07-14 09:49:57 +03:00
parent 6fcfa63f54
commit 4589ddad4a
56 changed files with 1853 additions and 775 deletions
--- a/internal/repository/user/human_password.go
+++ b/internal/repository/user/human_password.go
@@ -26,7 +26,10 @@ const (
 type HumanPasswordChangedEvent struct {
 	eventstore.BaseEvent `json:"-"`

+	// New events only use EncodedHash. However, the secret field
+	// is preserved to handle events older than the switch to Passwap.
 	Secret         *crypto.CryptoValue `json:"secret,omitempty"`
+	EncodedHash    string              `json:"encodedHash,omitempty"`
 	ChangeRequired bool                `json:"changeRequired"`
 	UserAgentID    string              `json:"userAgentID,omitempty"`
 }
@@ -42,7 +45,7 @@ func (e *HumanPasswordChangedEvent) UniqueConstraints() []*eventstore.EventUniqu
 func NewHumanPasswordChangedEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
-	secret *crypto.CryptoValue,
+	encodeHash string,
 	changeRequired bool,
 	userAgentID string,
 ) *HumanPasswordChangedEvent {
@@ -52,7 +55,7 @@ func NewHumanPasswordChangedEvent(
 			aggregate,
 			HumanPasswordChangedType,
 		),
-		Secret:         secret,
+		EncodedHash:    encodeHash,
 		ChangeRequired: changeRequired,
 		UserAgentID:    userAgentID,
 	}
@@ -268,3 +271,44 @@ func HumanPasswordCheckFailedEventMapper(event *repository.Event) (eventstore.Ev

 	return humanAdded, nil
 }
+
+type HumanPasswordHashUpdatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	EncodedHash          string `json:"encodedHash,omitempty"`
+}
+
+func (e *HumanPasswordHashUpdatedEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanPasswordHashUpdatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func (e *HumanPasswordHashUpdatedEvent) SetBaseEvent(base *eventstore.BaseEvent) {
+	e.BaseEvent = *base
+}
+
+func NewHumanPasswordHashUpdatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	encoded string,
+) *HumanPasswordHashUpdatedEvent {
+	return &HumanPasswordHashUpdatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanPasswordCheckFailedType,
+		),
+		EncodedHash: encoded,
+	}
+}
+
+// SecretOrEncodedHash returns the legacy *crypto.CryptoValue if it is not nil.
+// orherwise it will returns the encoded hash string.
+func SecretOrEncodedHash(secret *crypto.CryptoValue, encoded string) string {
+	if secret != nil {
+		return string(secret.Crypted)
+	}
+	return encoded
+}