Erik Michelson
f30f0d8e51
fix(passwords): use argon2id instead of bcrypt
...
OWASP [1] recommends for password hashing the following algorithms in
descending order: argon2id, scrypt, bcrypt. They state that bcrypt may
be used in legacy systems or when required due to legal regulations.
We're however not building any legacy application. Even HedgeDoc 1.x
utilizes a more modern algorithm by using scrypt.
While bcrypt is not insecure per se, our implementation had a major
security flaw, leading to invalid passwords being accepted in certain
cases. The bcrypt nodejs package - and the OWASP cheatsheet as well -
point out, that the maximum input length of passwords is limited to 72
bytes with bcrypt. When some user has a password longer than 72 bytes in
use, only the first 72 bytes are required to log in successfully.
Depending on the encoding (which could be UTF-8 or UTF-16 depending on
different circumstances) this could in worst-case be at 36 characters,
which is not very unusual for a password. See also [2].
This commit changes the used algorithm to argon2id. Argon2id has been in
use for several years now and seems to be a well-designed password
hashing function that even won the 2015 Password Hashing Competition.
Argon2 does not have any real-world max input length for passwords (it
is at 4 GiB).
The node-rs/argon2 implementation seems to be well maintained, widely
used (more than 150k downloads per week) and is published with
provenance, proving that the npm package was built on GitHub actions
using the source code in the repository. The implementation is written
in Rust, so it should be safe against memory leakages etc.
[1]: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Che
at_Sheet.html#password-hashing-algorithms
[2]: https://security.stackexchange.com/a/39851
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-08-08 20:29:23 +02:00
renovate[bot]
3513377d2d
fix(deps): update dependency next to v14.1.1 [security]
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-05-10 07:42:49 +00:00
renovate[bot]
662de1e9f8
fix(deps): update dependency reveal.js to v5
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-04-09 11:40:15 +02:00
renovate[bot]
9aaec95398
fix(deps): update dependency @nestjs/schedule to v4
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-04-09 11:31:07 +02:00
renovate[bot]
8b501915f5
chore(deps): upgrade redux packages
...
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-04-09 10:55:38 +02:00
renovate[bot]
ad3859c9df
fix(deps): update dependency katex to v0.16.10 [security]
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-03-25 23:21:37 +00:00
renovate[bot]
a6c2bbe1e7
fix(deps): update dependency copy-webpack-plugin to v12
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-03-23 01:36:41 +01:00
renovate[bot]
f56abf74e0
fix(deps): update dependency sass to v1.71.1
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-03-01 18:10:49 +01:00
renovate[bot]
61bf3adf99
chore(deps): update linters
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-03-01 17:51:22 +01:00
renovate[bot]
5775b07b2d
chore(deps): update dependency @types/node to v20.11.18
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-15 15:34:38 +00:00
renovate[bot]
fc7b6f8d3d
fix(deps): update dependency @orama/orama to v2.0.6
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-13 21:34:53 +00:00
renovate[bot]
ecce1adc16
fix(deps): update nestjs packages to v10.3.3
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-12 13:13:48 +00:00
renovate[bot]
3dad5fce2c
fix(deps): update dependency twemoji-colr-font to v15
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-12 12:47:14 +01:00
renovate[bot]
e7f33c9002
chore(deps): update dependency turbo to v1.12.3
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-12 01:23:50 +01:00
renovate[bot]
b47d728698
fix(deps): update dependency markdown-it-emoji to v3
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-12 00:46:57 +01:00
renovate[bot]
144b8e29d8
fix(deps): update dependency react-i18next to v14
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-11 23:58:52 +01:00
Erik Michelson
e7e7f84f7b
chore(deps): regenerate lockfile
...
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-02-11 23:54:55 +01:00
renovate[bot]
7a2f0c5c4b
chore(deps): lock file maintenance
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 23:17:20 +00:00
Tilman Vatteroth
d8c22f62f1
regenerate yarn.lock
...
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
a090070c79
fix(deps): update dependency mermaid to v10.8.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
73e34755a1
fix(deps): update dependency joi to v17.12.1
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
315d43f209
fix(deps): update dependency htmlparser2 to v9.1.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
b87a978f25
fix(deps): update dependency flowchart.js to v1.18.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
b58c475f83
fix(deps): update dependency express-session to v1.18.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
c871b69324
fix(deps): update dependency abcjs to v6.3.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
c8d4607101
fix(deps): update dependency @redux-devtools/core to v3.14.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
0eb473e5fc
chore(deps): update typescript-eslint monorepo to v6.21.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
37af638054
chore(deps): update testing-library
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
eb71573227
chore(deps): update linters
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
01257ea7ac
chore(deps): update dependency @darraghor/eslint-plugin-nestjs-typed to v4.5.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
d1bc150035
fix(deps): update vega
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
2d1428333d
fix(deps): update i18next
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
d089634369
fix(deps): update dependency ws to v8.16.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
dcaeb98fa1
fix(deps): update dependency tlds to v1.250.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
1257d070ba
fix(deps): update dependency sass to v1.70.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
20c41578f3
fix(deps): update dependency reflect-metadata to v0.2.1
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
609883f7a4
fix(deps): update dependency react-use to v17.5.0
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
de1c7f769b
fix(deps): update dependency react-bootstrap to v2.10.1
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
01a24607ce
chore(deps): update nestjs packages
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
970686202d
chore(deps): update nestjs packages
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2024-02-10 18:00:34 +01:00
renovate[bot]
1ccf02bab6
fix(deps): update nestjs packages
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
0474dbbac8
fix(deps): update dependency typeorm to v0.3.20
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
c6377a293f
fix(deps): update dependency @orama/orama to v2.0.5
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
3f5f7bbc27
chore(deps): update dependency yjs to v13.6.12
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
8d3253c1b2
chore(deps): update dependency cypress to v13.6.4
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
68ae8fd726
chore(deps): update dependency @types/jest to v29.5.12
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
bf0991a671
chore(deps): update dependency @darraghor/eslint-plugin-nestjs-typed to v4.4.3
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
074a92444b
chore(deps): update definitelytyped
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 18:00:34 +01:00
renovate[bot]
f0cb3bf775
chore(deps): update codemirror
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 16:21:59 +01:00
renovate[bot]
e1fdfb9095
chore(deps): update dependency markdownlint-cli2 to v0.12.1
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-10 16:02:31 +01:00