From beb5be43022ac0faa66635df654e40ca9221f9e0 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@floxdev.com>
Date: Thu, 15 Apr 2021 10:56:12 -0400
Subject: [PATCH] Users: password changes via the web UI now use Argon2

Co-authored-by: Graham Christensen <graham@grahamc.com>
---
 src/lib/Hydra/Controller/User.pm | 10 ++--------
 src/lib/Hydra/Schema/Users.pm    | 23 +++++++++++++++++------
 2 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/src/lib/Hydra/Controller/User.pm b/src/lib/Hydra/Controller/User.pm
index 9cdece8a..b3512a1b 100644
--- a/src/lib/Hydra/Controller/User.pm
+++ b/src/lib/Hydra/Controller/User.pm
@@ -229,12 +229,6 @@ sub isValidPassword {
 }
 
 
-sub setPassword {
-    my ($user, $password) = @_;
-    $user->update({ password => sha1_hex($password) });
-}
-
-
 sub register :Local Args(0) {
     my ($self, $c) = @_;
 
@@ -294,7 +288,7 @@ sub updatePreferences {
         error($c, "The passwords you specified did not match.")
             if $password ne trim $c->stash->{params}->{password2};
 
-        setPassword($user, $password);
+        $user->setPassword($password);
     }
 
     my $emailAddress = trim($c->stash->{params}->{emailaddress} // "");
@@ -394,7 +388,7 @@ sub reset_password :Chained('user') :PathPart('reset-password') :Args(0) {
         unless $user->emailaddress;
 
     my $password = Crypt::RandPasswd->word(8,10);
-    setPassword($user, $password);
+    $user->setPassword($password);
     sendEmail(
         $c->config,
         $user->emailaddress,
diff --git a/src/lib/Hydra/Schema/Users.pm b/src/lib/Hydra/Schema/Users.pm
index e11e0354..55f0f1cb 100644
--- a/src/lib/Hydra/Schema/Users.pm
+++ b/src/lib/Hydra/Schema/Users.pm
@@ -214,9 +214,7 @@ sub json_hint {
     return \%hint;
 }
 
-sub check_password {
-    my ($self, $password) = @_;
-
+sub _authenticator() {
     my $authenticator = Crypt::Passphrase->new(
         encoder    => 'Argon2',
         validators => [
@@ -228,11 +226,16 @@ sub check_password {
         ],
     );
 
+    return $authenticator;
+}
+
+sub check_password {
+    my ($self, $password) = @_;
+
+    my $authenticator = _authenticator();
     if ($authenticator->verify_password($password, $self->password)) {
         if ($authenticator->needs_rehash($self->password)) {
-            $self->update({
-                "password" => $authenticator->hash_password($password),
-            });
+            $self->setPassword($password);
         }
 
         return 1;
@@ -241,4 +244,12 @@ sub check_password {
     }
 }
 
+sub setPassword {
+    my ($self, $password) = @_;;
+
+    $self->update({
+        "password" => _authenticator()->hash_password($password),
+    });
+}
+
 1;