-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Argon2id hashed passwords in userdb #2102
base: master
Are you sure you want to change the base?
Conversation
1644410
to
85c00fc
Compare
d2f2818
to
ab2608a
Compare
This is certainly not how to do it, and it's not even better than nothing.. this solution is unheard of in the industry.. because of two things.. first you have no clear way how to invalidate the hash for users that change passwords.. second the idea of sending the username and the password over the network with each request is bad.. this is why a cookie based management or even a session based is preferred, because the problem lies from the worker side it doesn't have a token or a cookie.. I suggest you look up how to implement a cookie-session based solution instead, you can either cheat how we do it for views and web pages or change our system to use oAuth. |
Api tokens/cookies etc.. are not enough. One needs a challenge response system so that the username/password never need to be sent over the channel. But it seems to me that then you may as well use TLS with client side certificates (with the server being the CA). EDIT: IUC then OAUTH2 is challenge response based. |
I was thinking that a token based system might be used to solve the curious case of Sylvain27. A token would contain the worker name. We could then disable the bad worker by invalidating the corresponding token. If the user circumvents this by changing the worker name then we could revoke their right to request a new token. This means that their old workers could continue to run but it would not be possible to start new ones. |
As this PR discusses an account login/block and not a particular worker block,
2- A server-side session management |
worker-side code
|
Are you using a challenge response system? Otherwise the cookie serves the same role as the password (for an observer of the insecure channel)... |
No that's a bit complicated for a PR that wants to cache hashed passwords.... |
To me it is not clear why a naive token based system (without challenge response) is more secure than just sending username password with every request. I am interested in hearing arguments about this. |
The question is not only about security it's about efficiency. |
I hope we agree that having hashed passwords in the db is a step forward from the current setup? I personally think that what we have now is sub-standard (even though understandable from the legacy point of view). It is also clear we need something that is performant enough to do a few 100 authorized API calls per second on a single core. I wouldn't mind moving forward from the status-quo and improving gradually afterward. If we can do most api calls with short-lived tokens handled in a standard way in the (near) future, that's even better. Nevertheless, I assume we would need something like the current PR anyway for the login part of #2102 (comment) ? |
Agreed on the gradual progress. I am working on a |
Some tests using
|
This (darft) PR assumes that all the passwords are hashed in the DB
Will provide a script for this later on
Hash existing passwords on first authentication