Users: add a validation step which lets the user's password be a Argon2 hashed sha1 hash.

OWASP suggests expiring all passwords and requiring users to update their password. However, we don't have a way to do this. They suggest this mechanism as a good alternative: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#upgrading-legacy-hashes
2021-04-16 09:58:46 -04:00
parent fa924ea697
commit d10d8964f2
2 changed files with 17 additions and 0 deletions
--- a/src/lib/Hydra/Schema/Users.pm
+++ b/src/lib/Hydra/Schema/Users.pm
@ -238,6 +238,12 @@ sub check_password {
            $self->setPassword($password);
        }

+        return 1;
+    } elsif ($authenticator->verify_password(sha1_hex($password), $self->password)) {
+        # The user's database record has their old password as sha1, re-hashed as Argon2.
+        # Store their password hashed only with Argon2.
+        $self->setPassword($password);
+
        return 1;
    } else {
        return 0;