Skip to content

Hash web panel passwords with Argon2id#775

Merged
ArchangelWTF merged 2 commits into
4.1.x-devfrom
argon2-password-hashing
Jun 15, 2026
Merged

Hash web panel passwords with Argon2id#775
ArchangelWTF merged 2 commits into
4.1.x-devfrom
argon2-password-hashing

Conversation

@refringe

@refringe refringe commented Jun 15, 2026

Copy link
Copy Markdown
Contributor
  • Add IPasswordHasher and Argon2id implementation
  • Hash passwords on create/update instead of storing plaintext
  • Passwords are no longer trimmed
  • Verify logins against stored hashes
  • Rehash credentials when cost parameters change
  • Migrate existing plaintext credentials to hashes on startup
  • Seed config default user with a hashed password
  • Verify failed logins against a dummy hash to keep timing constant
  • Stop exposing/editing stored passwords in the credentials UI panel
  • Adds some tests for the hasher

@refringe
Hash web panel passwords with Argon2id
aaf3e47 
- Add `IPasswordHasher` and Argon2id implementation
- Hash passwords on create/update instead of storing plaintext
- Passwords are no longer trimmed
- Verify logins against stored hashes
- Rehash credentials when cost parameters change
- Migrate existing plaintext credentials to hashes on startup
- Seed config default user with a hashed password
- Verify failed logins against a dummy hash to keep timing constant
- Stop exposing/editing stored passwords in the credentials UI panel
- Adds some tests for the hasher
@refringe refringe requested review from ArchangelWTF and CJ-SPT June 15, 2026 00:32
ArchangelWTF
ArchangelWTF requested changes Jun 15, 2026
View reviewed changes

@ArchangelWTF ArchangelWTF left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have some concerns about the current package used, would love to ideally just implement ourselves since it doesn't seem too bad

Comment thread Libraries/SPTarkov.Server.Web/SPTarkov.Server.Web.csproj Outdated
@refringe

refringe commented Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

I chose Scott's package because it uses libsodium, which uses the official C implementation compiled directly from the original Argon2 authors.

If you'd rather the pure sharp implementation I can take a look later this afternoon.

I'm good either way. They're both tested implementations.

@ArchangelWTF

ArchangelWTF commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Member

Oh I got no problems with using libsodium, the only issue I have with pulling in Scott's package is that it's only about ~100ish lines that we could just write ourselves and save the trouble of potentially having a package go unmaintained.

@ArchangelWTF ArchangelWTF merged commit 8b066d0 into 4.1.x-dev Jun 15, 2026
3 of 5 checks passed
@ArchangelWTF ArchangelWTF deleted the argon2-password-hashing branch June 15, 2026 18:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ArchangelWTF ArchangelWTF ArchangelWTF approved these changes

@CJ-SPT CJ-SPT Awaiting requested review from CJ-SPT

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@refringe @ArchangelWTF