Make hashing parameters configurable

api/user.go

@@ -12,7 +12,7 @@ import (
 
 // The UserDatabase interface for encapsulating database access.
 type UserDatabase interface {
-	CreateUser(user *model.User) error
+	CreateUser(user model.ExternalUserWithCredentials) (*model.User, error)
 	DeleteUser(user *model.User) error
 	GetUserByID(ID uint) (*model.User, error)
 	GetUserByName(name string) (*model.User, error)
@@ -44,14 +44,14 @@ func (h *UserHandler) CreateUser(ctx *gin.Context) {
 		return
 	}
 
-	user := externalUser.IntoInternalUser()
+	if h.userExists(externalUser.Name) {
-
-	if h.userExists(user.Name) {
 		ctx.AbortWithError(http.StatusBadRequest, errors.New("username already exists"))
 		return
 	}
 
-	if success := successOrAbort(ctx, http.StatusInternalServerError, h.DB.CreateUser(user)); !success {
+	user, err := h.DB.CreateUser(externalUser)
+
+	if success := successOrAbort(ctx, http.StatusInternalServerError, err); !success {
 		return
 	}
 

app.go

@@ -6,6 +6,7 @@ import (
 	"os/signal"
 	"syscall"
 
+	"github.com/eikendev/pushbits/authentication/credentials"
 	"github.com/eikendev/pushbits/configuration"
 	"github.com/eikendev/pushbits/database"
 	"github.com/eikendev/pushbits/dispatcher"
@@ -30,7 +31,9 @@ func main() {
 
 	c := configuration.Get()
 
-	db, err := database.Create(c.Database.Dialect, c.Database.Connection)
+	cm := credentials.CreateManager(c.Crypto)
+
+	db, err := database.Create(cm, c.Database.Dialect, c.Database.Connection)
 	if err != nil {
 		panic(err)
 	}

authentication/credentials/credentials.go

@@ -3,28 +3,27 @@ package credentials
 import (
 	"log"
 
+	"github.com/eikendev/pushbits/configuration"
+
 	"github.com/alexedwards/argon2id"
 )
 
-// CreatePasswordHash returns a hashed version of the given password.
+// Manager holds information for managing credentials.
-func CreatePasswordHash(password string) []byte {
+type Manager struct {
-	hash, err := argon2id.CreateHash(password, argon2id.DefaultParams)
+	argon2Params *argon2id.Params
-
-	if err != nil {
-		panic(err)
-	}
-
-	return []byte(hash)
 }
 
-// ComparePassword compares a hashed password with its possible plaintext equivalent.
+// CreateManager instanciates a credential manager.
-func ComparePassword(hash, password []byte) bool {
+func CreateManager(c configuration.CryptoConfig) *Manager {
-	match, err := argon2id.ComparePasswordAndHash(string(password), string(hash))
+	log.Println("Setting up credential manager.")
 
-	if err != nil {
+	argon2Params := &argon2id.Params{
-		log.Fatal(err)
+		Memory:      c.Argon2.Memory,
-		return false
+		Iterations:  c.Argon2.Iterations,
+		Parallelism: c.Argon2.Parallelism,
+		SaltLength:  c.Argon2.SaltLength,
+		KeyLength:   c.Argon2.KeyLength,
 	}
 
-	return match
+	return &Manager{argon2Params: argon2Params}
 }

authentication/credentials/password.go

@@ -0,0 +1,31 @@
+package credentials
+
+import (
+	"log"
+
+	"github.com/alexedwards/argon2id"
+)
+
+// CreatePasswordHash returns a hashed version of the given password.
+func (m *Manager) CreatePasswordHash(password string) []byte {
+	hash, err := argon2id.CreateHash(password, m.argon2Params)
+
+	if err != nil {
+		log.Fatal(err)
+		panic(err)
+	}
+
+	return []byte(hash)
+}
+
+// ComparePassword compares a hashed password with its possible plaintext equivalent.
+func ComparePassword(hash, password []byte) bool {
+	match, err := argon2id.ComparePasswordAndHash(string(password), string(hash))
+
+	if err != nil {
+		log.Fatal(err)
+		return false
+	}
+
+	return match
+}

configuration/configuration.go

@@ -4,6 +4,20 @@ import (
 	"github.com/jinzhu/configor"
 )
 
+// Argon2Config holds the parameters used for creating hashes with Argon2.
+type Argon2Config struct {
+	Memory      uint32 `default:"65536"`
+	Iterations  uint32 `default:"1"`
+	Parallelism uint8  `default:"2"`
+	SaltLength  uint32 `default:"16"`
+	KeyLength   uint32 `default:"32"`
+}
+
+// CryptoConfig holds the parameters used for creating hashes.
+type CryptoConfig struct {
+	Argon2 Argon2Config
+}
+
 // Configuration holds values that can be configured by the user.
 type Configuration struct {
 	Database struct {
@@ -20,6 +34,7 @@ type Configuration struct {
 		Username   string `required:"true"`
 		Password   string `required:"true"`
 	}
+	Crypto CryptoConfig
 }
 
 func configFiles() []string {

database/database.go

@@ -18,8 +18,9 @@ import (
 
 // Database holds information for the database connection.
 type Database struct {
-	gormdb *gorm.DB
+	gormdb             *gorm.DB
-	sqldb  *sql.DB
+	sqldb              *sql.DB
+	credentialsManager *credentials.Manager
 }
 
 func createFileDir(file string) {
@@ -31,7 +32,7 @@ func createFileDir(file string) {
 }
 
 // Create instanciates a database connection.
-func Create(dialect, connection string) (*Database, error) {
+func Create(cm *credentials.Manager, dialect, connection string) (*Database, error) {
 	log.Println("Setting up database connection.")
 
 	maxOpenConns := 5
@@ -68,7 +69,7 @@ func Create(dialect, connection string) (*Database, error) {
 
 	db.AutoMigrate(&model.User{}, &model.Application{})
 
-	return &Database{gormdb: db, sqldb: sql}, nil
+	return &Database{gormdb: db, sqldb: sql, credentialsManager: cm}, nil
 }
 
 // Close closes the database connection.
@@ -83,7 +84,7 @@ func (d *Database) Populate(name, password, matrixID string) error {
 	query := d.gormdb.Where("name = ?", name).First(&user)
 
 	if errors.Is(query.Error, gorm.ErrRecordNotFound) {
-		user := model.NewUser(name, password, true, matrixID)
+		user := model.NewUser(d.credentialsManager, name, password, true, matrixID)
 
 		if err := d.gormdb.Create(&user).Error; err != nil {
 			return errors.New("user cannot be created")
@@ -91,7 +92,7 @@ func (d *Database) Populate(name, password, matrixID string) error {
 	} else {
 		log.Printf("Admin user %s already exists.\n", name)
 
-		user.PasswordHash = credentials.CreatePasswordHash(password)
+		user.PasswordHash = d.credentialsManager.CreatePasswordHash(password)
 		user.IsAdmin = true
 		user.MatrixID = matrixID
 

database/user.go

@@ -9,8 +9,10 @@ import (
 )
 
 // CreateUser creates a user.
-func (d *Database) CreateUser(user *model.User) error {
+func (d *Database) CreateUser(externalUser model.ExternalUserWithCredentials) (*model.User, error) {
-	return d.gormdb.Create(user).Error
+	user := externalUser.IntoInternalUser(d.credentialsManager)
+
+	return user, d.gormdb.Create(user).Error
 }
 
 // DeleteUser deletes a user.

model/user.go

@@ -36,24 +36,22 @@ type ExternalUserWithCredentials struct {
 }
 
 // NewUser creates a new user.
-func NewUser(name, password string, isAdmin bool, matrixID string) *User {
+func NewUser(cm *credentials.Manager, name, password string, isAdmin bool, matrixID string) *User {
 	log.Printf("Creating user %s.\n", name)
 
-	user := User{
+	return &User{
 		Name:         name,
-		PasswordHash: credentials.CreatePasswordHash(password),
+		PasswordHash: cm.CreatePasswordHash(password),
 		IsAdmin:      isAdmin,
 		MatrixID:     matrixID,
 	}
-
-	return &user
 }
 
 // IntoInternalUser converts a ExternalUserWithCredentials into a User.
-func (u *ExternalUserWithCredentials) IntoInternalUser() *User {
+func (u *ExternalUserWithCredentials) IntoInternalUser(cm *credentials.Manager) *User {
 	return &User{
 		Name:         u.Name,
-		PasswordHash: credentials.CreatePasswordHash(u.Password),
+		PasswordHash: cm.CreatePasswordHash(u.Password),
 		IsAdmin:      u.IsAdmin,
 		MatrixID:     u.MatrixID,
 	}