Users: transparently upgrade passwords to Argon2

Passwords that are sha1 will be transparently upgraded to argon2,
and future comparisons will use Argon2

Co-authored-by: Graham Christensen <graham@grahamc.com>

t/Schema/Users.t

@@ -11,11 +11,20 @@ use Test2::V0;
 my $db = Hydra::Model::DB->new;
 hydra_setup($db);
 
-# Catalyst's default password checking is not constant time. To improve
-# the security of the system, we replaced the check password routine.
-# Verify comparing correct and incorrect passwords work.
+# Hydra used to store passwords, by default, as plain unsalted sha1 hashes.
+# We now upgrade these badly stored passwords with much stronger algorithms
+# when the user logs in. Implementing this meant reimplementing our password
+# checking ourselves, so also ensure that basic password checking works.
+#
+# This test:
+#
+# 1. creates a user with the legacy password
+# 2. validates that the wrong password is not considered valid
+# 3. validates that the correct password is valid
+# 4. checks that the checking of the correct password transparently upgraded
+#    the password's storage to a more secure algorithm.
 
-# Starting the user with a sha1 password
+# Starting the user with an unsalted sha1 password
 my $user = $db->resultset('Users')->create({
     "username" => "alice",
     "emailaddress" => 'alice@nixos.org',
@@ -24,6 +33,10 @@ my $user = $db->resultset('Users')->create({
 isnt($user, undef, "My user was created.");
 
 ok(!$user->check_password("barbaz"), "Checking the password, barbaz, is not right");
+
+is($user->password, "8843d7f92416211de9ebb963ff4ce28125932878", "The unsalted sha1 is in the database.");
 ok($user->check_password("foobar"), "Checking the password, foobar, is right");
+isnt($user->password, "8843d7f92416211de9ebb963ff4ce28125932878", "The user has had their password rehashed.");
+ok($user->check_password("foobar"), "Checking the password, foobar, is still right");
 
 done_testing;