Replace bcrypt with Argon2

authentication/credentials/credentials.go

@@ -1,20 +1,30 @@
 package credentials
 
-import "golang.org/x/crypto/bcrypt"
+import (
+	"log"
 
-// CreatePassword returns a hashed version of the given password.
+	"github.com/alexedwards/argon2id"
-func CreatePassword(pw string) []byte {
+)
-	strength := 12
+
-	hashedPassword, err := bcrypt.GenerateFromPassword([]byte(pw), strength)
+// CreatePasswordHash returns a hashed version of the given password.
+func CreatePasswordHash(password string) []byte {
+	hash, err := argon2id.CreateHash(password, argon2id.DefaultParams)
 
 	if err != nil {
 		panic(err)
 	}
 
-	return hashedPassword
+	return []byte(hash)
 }
 
 // ComparePassword compares a hashed password with its possible plaintext equivalent.
-func ComparePassword(hashedPassword, password []byte) bool {
+func ComparePassword(hash, password []byte) bool {
-	return bcrypt.CompareHashAndPassword(hashedPassword, password) == nil
+	match, err := argon2id.ComparePasswordAndHash(string(password), string(hash))
+
+	if err != nil {
+		log.Fatal(err)
+		return false
+	}
+
+	return match
 }

database/database.go

@@ -91,7 +91,7 @@ func (d *Database) Populate(name, password, matrixID string) error {
 	} else {
 		log.Printf("Admin user %s already exists.\n", name)
 
-		user.PasswordHash = credentials.CreatePassword(password)
+		user.PasswordHash = credentials.CreatePasswordHash(password)
 		user.IsAdmin = true
 		user.MatrixID = matrixID
 

go.mod

@@ -3,6 +3,7 @@ module github.com/eikendev/pushbits
 go 1.14
 
 require (
+	github.com/alexedwards/argon2id v0.0.0-20200522061839-9369edc04b05
 	github.com/gin-contrib/location v0.0.2
 	github.com/gin-gonic/gin v1.6.3
 	github.com/jinzhu/configor v1.2.0

go.sum

@@ -1,6 +1,8 @@
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/PuerkitoBio/goquery v1.5.1/go.mod h1:GsLWisAFVj4WgDibEWF4pvYnkVQBpKBKeU+7zCJoLcc=
+github.com/alexedwards/argon2id v0.0.0-20200522061839-9369edc04b05 h1:votg1faEmwABhCeJ4tiBrvwk4BWftQGkEtFy5iuI7rU=
+github.com/alexedwards/argon2id v0.0.0-20200522061839-9369edc04b05/go.mod h1:GFtu6vaWaRJV5EvSFaVqgq/3Iq95xyYElBV/aupGzUo=
 github.com/andybalholm/cascadia v1.1.0/go.mod h1:GsXiBklL0woXo1j/WYWtSYYC4ouU9PqHO0sqidkEA4Y=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -48,6 +50,7 @@ github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVM
 github.com/ugorji/go/codec v1.1.7 h1:2SvQaVZ1ouYrrKKwoSk2pzd4A9evlKJb9oTL+OaLUSs=
 github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=

model/user.go

@@ -41,7 +41,7 @@ func NewUser(name, password string, isAdmin bool, matrixID string) *User {
 
 	user := User{
 		Name:         name,
-		PasswordHash: credentials.CreatePassword(password),
+		PasswordHash: credentials.CreatePasswordHash(password),
 		IsAdmin:      isAdmin,
 		MatrixID:     matrixID,
 	}
@@ -53,7 +53,7 @@ func NewUser(name, password string, isAdmin bool, matrixID string) *User {
 func (u *ExternalUserWithCredentials) IntoInternalUser() *User {
 	return &User{
 		Name:         u.Name,
-		PasswordHash: credentials.CreatePassword(u.Password),
+		PasswordHash: credentials.CreatePasswordHash(u.Password),
 		IsAdmin:      u.IsAdmin,
 		MatrixID:     u.MatrixID,
 	}