hedgedoc/backend
Erik Michelson f30f0d8e51 fix(passwords): use argon2id instead of bcrypt
OWASP [1] recommends for password hashing the following algorithms in
descending order: argon2id, scrypt, bcrypt. They state that bcrypt may
be used in legacy systems or when required due to legal regulations.
We're however not building any legacy application. Even HedgeDoc 1.x
utilizes a more modern algorithm by using scrypt.

While bcrypt is not insecure per se, our implementation had a major
security flaw, leading to invalid passwords being accepted in certain
cases. The bcrypt nodejs package - and the OWASP cheatsheet as well -
point out, that the maximum input length of passwords is limited to 72
bytes with bcrypt. When some user has a password longer than 72 bytes in
use, only the first 72 bytes are required to log in successfully.
Depending on the encoding (which could be UTF-8 or UTF-16 depending on
different circumstances) this could in worst-case be at 36 characters,
which is not very unusual for a password. See also [2].

This commit changes the used algorithm to argon2id. Argon2id has been in
use for several years now and seems to be a well-designed password
hashing function that even won the 2015 Password Hashing Competition.
Argon2 does not have any real-world max input length for passwords (it
is at 4 GiB).

The node-rs/argon2 implementation seems to be well maintained, widely
used (more than 150k downloads per week) and is published with
provenance, proving that the npm package was built on GitHub actions
using the source code in the repository. The implementation is written
in Rust, so it should be safe against memory leakages etc.

[1]: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Che
     at_Sheet.html#password-hashing-algorithms
[2]: https://security.stackexchange.com/a/39851

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2024-08-08 20:29:23 +02:00
..
docker chore(deps): update node.js to 2f46fd4 2024-01-28 16:06:28 +00:00
public fix(repository): Move backend code into subdirectory 2022-10-30 22:46:42 +01:00
src fix(passwords): use argon2id instead of bcrypt 2024-08-08 20:29:23 +02:00
test feat(notes): check for equal alias or note id 2024-04-18 22:15:11 +02:00
.editorconfig fix(repository): Move backend code into subdirectory 2022-10-30 22:46:42 +01:00
.env fix: add .env file symlinks 2023-04-13 10:39:17 +02:00
.eslintrc.js chore(eslint): allow PascalCase for imports 2023-12-07 18:46:39 +01:00
.gitignore fix(repository): Move backend code into subdirectory 2022-10-30 22:46:42 +01:00
.prettierrc.json feat(package): adjust packages to workspaces 2022-12-04 20:59:46 +01:00
.prettierrc.json.license feat(package): adjust packages to workspaces 2022-12-04 20:59:46 +01:00
CHANGELOG.md refactor: remove dropbox, facebook & twitter login 2023-10-07 13:28:37 +02:00
eslint-local-rules.js fix: move eslint-local-rules.js into backend directory 2023-08-26 09:19:53 +02:00
jest-e2e.json fix(repository): Move backend code into subdirectory 2022-10-30 22:46:42 +01:00
jest-e2e.json.license fix(repository): Move backend code into subdirectory 2022-10-30 22:46:42 +01:00
nest-cli.json fix(repository): Move backend code into subdirectory 2022-10-30 22:46:42 +01:00
nest-cli.json.license fix(repository): Move backend code into subdirectory 2022-10-30 22:46:42 +01:00
package.json fix(passwords): use argon2id instead of bcrypt 2024-08-08 20:29:23 +02:00
package.json.license fix(repository): Move backend code into subdirectory 2022-10-30 22:46:42 +01:00
tsconfig.build.json fix(repository): Move backend code into subdirectory 2022-10-30 22:46:42 +01:00
tsconfig.build.json.license fix(repository): Move backend code into subdirectory 2022-10-30 22:46:42 +01:00
tsconfig.json fix(backend): allowjs in tsconfig.json 2023-08-13 20:38:53 +02:00
tsconfig.json.license fix(repository): Move backend code into subdirectory 2022-10-30 22:46:42 +01:00