From beb5be43022ac0faa66635df654e40ca9221f9e0 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Thu, 15 Apr 2021 10:56:12 -0400 Subject: [PATCH] Users: password changes via the web UI now use Argon2 Co-authored-by: Graham Christensen --- src/lib/Hydra/Controller/User.pm | 10 ++-------- src/lib/Hydra/Schema/Users.pm | 23 +++++++++++++++++------ 2 files changed, 19 insertions(+), 14 deletions(-) diff --git a/src/lib/Hydra/Controller/User.pm b/src/lib/Hydra/Controller/User.pm index 9cdece8a..b3512a1b 100644 --- a/src/lib/Hydra/Controller/User.pm +++ b/src/lib/Hydra/Controller/User.pm @@ -229,12 +229,6 @@ sub isValidPassword { } -sub setPassword { - my ($user, $password) = @_; - $user->update({ password => sha1_hex($password) }); -} - - sub register :Local Args(0) { my ($self, $c) = @_; @@ -294,7 +288,7 @@ sub updatePreferences { error($c, "The passwords you specified did not match.") if $password ne trim $c->stash->{params}->{password2}; - setPassword($user, $password); + $user->setPassword($password); } my $emailAddress = trim($c->stash->{params}->{emailaddress} // ""); @@ -394,7 +388,7 @@ sub reset_password :Chained('user') :PathPart('reset-password') :Args(0) { unless $user->emailaddress; my $password = Crypt::RandPasswd->word(8,10); - setPassword($user, $password); + $user->setPassword($password); sendEmail( $c->config, $user->emailaddress, diff --git a/src/lib/Hydra/Schema/Users.pm b/src/lib/Hydra/Schema/Users.pm index e11e0354..55f0f1cb 100644 --- a/src/lib/Hydra/Schema/Users.pm +++ b/src/lib/Hydra/Schema/Users.pm @@ -214,9 +214,7 @@ sub json_hint { return \%hint; } -sub check_password { - my ($self, $password) = @_; - +sub _authenticator() { my $authenticator = Crypt::Passphrase->new( encoder => 'Argon2', validators => [ @@ -228,11 +226,16 @@ sub check_password { ], ); + return $authenticator; +} + +sub check_password { + my ($self, $password) = @_; + + my $authenticator = _authenticator(); if ($authenticator->verify_password($password, $self->password)) { if ($authenticator->needs_rehash($self->password)) { - $self->update({ - "password" => $authenticator->hash_password($password), - }); + $self->setPassword($password); } return 1; @@ -241,4 +244,12 @@ sub check_password { } } +sub setPassword { + my ($self, $password) = @_;; + + $self->update({ + "password" => _authenticator()->hash_password($password), + }); +} + 1;