mirror of
https://github.com/penpot/penpot.git
synced 2025-05-31 17:26:18 +02:00
✨ Increase strenght of password hashing algorithm
And enable password update mechanism on login
This commit is contained in:
Andrey Antukh
parent
84dc3c8fd9
commit
76b931108e
2 changed files with 21 additions and 12 deletions
|
|
@ -6,15 +6,18 @@
|
||||||
|
|
||||||
(ns app.auth
|
(ns app.auth
|
||||||
(:require
|
(:require
|
||||||
[buddy.hashers :as hashers]))
|
[buddy.hashers :as hashers]
|
||||||
|
[promesa.exec :as px]))
|
||||||
|
|
||||||
|
(def default-params
|
||||||
|
{:alg :argon2id
|
||||||
|
:memory (* 32768 2)
|
||||||
|
:iterations 5
|
||||||
|
:parallelism (px/get-available-processors)})
|
||||||
|
|
||||||
(defn derive-password
|
(defn derive-password
|
||||||
[password]
|
[password]
|
||||||
(hashers/derive password
|
(hashers/derive password default-params))
|
||||||
{:alg :argon2id
|
|
||||||
:memory 16384
|
|
||||||
:iterations 20
|
|
||||||
:parallelism 2}))
|
|
||||||
|
|
||||||
(defn verify-password
|
(defn verify-password
|
||||||
[attempt password]
|
[attempt password]
|
||||||
|
|
|
||||||
|
|
@ -8,6 +8,7 @@
|
||||||
(:require
|
(:require
|
||||||
[app.common.data :as d]
|
[app.common.data :as d]
|
||||||
[app.common.exceptions :as ex]
|
[app.common.exceptions :as ex]
|
||||||
|
[app.common.logging :as l]
|
||||||
[app.common.spec :as us]
|
[app.common.spec :as us]
|
||||||
[app.common.uuid :as uuid]
|
[app.common.uuid :as uuid]
|
||||||
[app.config :as cf]
|
[app.config :as cf]
|
||||||
|
|
@ -61,14 +62,20 @@
|
||||||
:code :login-disabled
|
:code :login-disabled
|
||||||
:hint "login is disabled in this instance"))
|
:hint "login is disabled in this instance"))
|
||||||
|
|
||||||
(letfn [(check-password [profile password]
|
(letfn [(check-password [conn profile password]
|
||||||
(when (= (:password profile) "!")
|
(when (= (:password profile) "!")
|
||||||
(ex/raise :type :validation
|
(ex/raise :type :validation
|
||||||
:code :account-without-password
|
:code :account-without-password
|
||||||
:hint "the current account does not have password"))
|
:hint "the current account does not have password"))
|
||||||
(:valid (profile/verify-password cfg password (:password profile))))
|
(let [result (profile/verify-password cfg password (:password profile))]
|
||||||
|
(when (:update result)
|
||||||
|
(l/trace :hint "updating profile password" :id (:id profile) :email (:email profile))
|
||||||
|
(profile/update-profile-password! (assoc cfg ::db/conn conn)
|
||||||
|
(assoc profile :password password)))
|
||||||
|
(:valid result)))
|
||||||
|
|
||||||
(validate-profile [profile]
|
|
||||||
|
(validate-profile [conn profile]
|
||||||
(when-not profile
|
(when-not profile
|
||||||
(ex/raise :type :validation
|
(ex/raise :type :validation
|
||||||
:code :wrong-credentials))
|
:code :wrong-credentials))
|
||||||
|
|
@ -78,7 +85,7 @@
|
||||||
(when (:is-blocked profile)
|
(when (:is-blocked profile)
|
||||||
(ex/raise :type :restriction
|
(ex/raise :type :restriction
|
||||||
:code :profile-blocked))
|
:code :profile-blocked))
|
||||||
(when-not (check-password profile password)
|
(when-not (check-password conn profile password)
|
||||||
(ex/raise :type :validation
|
(ex/raise :type :validation
|
||||||
:code :wrong-credentials))
|
:code :wrong-credentials))
|
||||||
(when-let [deleted-at (:deleted-at profile)]
|
(when-let [deleted-at (:deleted-at profile)]
|
||||||
|
|
@ -90,8 +97,7 @@
|
||||||
|
|
||||||
(db/with-atomic [conn pool]
|
(db/with-atomic [conn pool]
|
||||||
(let [profile (->> (profile/get-profile-by-email conn email)
|
(let [profile (->> (profile/get-profile-by-email conn email)
|
||||||
(validate-profile)
|
(validate-profile conn)
|
||||||
(profile/decode-row)
|
|
||||||
(profile/strip-private-attrs))
|
(profile/strip-private-attrs))
|
||||||
|
|
||||||
invitation (when-let [token (:invitation-token params)]
|
invitation (when-let [token (:invitation-token params)]
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue