From 5a8cc0d7fc241494580cd4a060690eaf09ff46d7 Mon Sep 17 00:00:00 2001 From: Frederick Muriuki Muriithi Date: Wed, 8 Mar 2023 11:18:35 +0300 Subject: Replace Bcrypt with Argon2 for better security. Bcrypt is now somewhat vulnerable to offline cracking, so we move our password hashing over to Argon2. --- gn3/auth/authentication/users.py | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'gn3/auth') diff --git a/gn3/auth/authentication/users.py b/gn3/auth/authentication/users.py index 54838a3..5ee148f 100644 --- a/gn3/auth/authentication/users.py +++ b/gn3/auth/authentication/users.py @@ -2,7 +2,8 @@ from uuid import UUID, uuid4 from typing import Any, Tuple, NamedTuple -import bcrypt +from argon2 import PasswordHasher +from argon2.exceptions import VerifyMismatchError from gn3.auth import db from gn3.auth.authorisation.errors import NotFoundError @@ -60,7 +61,11 @@ def valid_login(conn: db.DbConnection, user: User, password: str) -> bool: if row is None: return False - return bcrypt.checkpw(password.encode("utf-8"), row["password"]) + hasher = PasswordHasher() # TODO: Maybe tune the parameters here... + try: + return hasher.verify(row["password"], password) + except VerifyMismatchError as _vme: + return False def save_user(cursor: db.DbCursor, email: str, name: str) -> User: """ @@ -79,7 +84,8 @@ def save_user(cursor: db.DbCursor, email: str, name: str) -> User: def set_user_password( cursor: db.DbCursor, user: User, password: str) -> Tuple[User, bytes]: """Set the given user's password in the database.""" - hashed_password = bcrypt.hashpw(password.encode("utf8"), bcrypt.gensalt()) + hasher = PasswordHasher() # TODO: Maybe tune the parameters here... + hashed_password = hasher.hash(password) cursor.execute( ("INSERT INTO user_credentials VALUES (:user_id, :hash) " "ON CONFLICT (user_id) DO UPDATE SET password=:hash"), -- cgit v1.2.3