Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: bring password hashing inline with industry best practices #881

Merged
merged 5 commits into from
Aug 25, 2023
Merged

feat: bring password hashing inline with industry best practices #881

merged 5 commits into from
Aug 25, 2023

Conversation

Skelmis
Copy link
Contributor

@Skelmis Skelmis commented Aug 23, 2023

This pull request accomplishes two things:

  • Brings Piccolo's internal password hashing inline with industry best practices. See here for more information
  • Implements the functionality required to automatically migrate hashes to the newest iteration count upon login

This pull request does not propose a solution to the storage of legacy hashes

@dantownsend
Copy link
Member

@Skelmis Thanks a lot for this - you're right, we should increase the iterations. We just need to be careful to make it backwards compatible.

@Skelmis
Copy link
Contributor Author

Skelmis commented Aug 23, 2023

Heya @dantownsend, backwards compatibility is key I do agree. This pull request handles that under the assumption that piccolo only supports pbkdf2_sha256 as the password hashing mechanism, an assumption that is true at the time of this pr.

Essentially when a user attempts to log in, the users current hash is introspected to get the required iteration count (10_000 in the current case).
The two hashes are then compared and if a user is authenticated, the users current iteration count is compared to BaseUser._pbkdf2_iteration_count which denotes the current iteration count. If the two values differ, Piccolo knows the password hash requires upgrading and performs this operation using the now authenticated password provided by the end user.

I have performed manual testing locally and received the expected hash upgrade when logging in as a user with a hash set with 10_000 iterations

Skelmis and others added 3 commits August 24, 2023 10:04
@Skelmis
Resolve lint failures
47da071
@dantownsend
resolve mypy error
dd50f5c 
Mypy complains because iterations was a string, but we change it to an int
@dantownsend
add some comments
364d423
@codecov-commenter
Copy link

codecov-commenter commented Aug 25, 2023
edited
Loading

Codecov Report

Merging #881 (df528a6) into master (dc13200) will increase coverage by 0.00%.
The diff coverage is 100.00%.

❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more.

@@           Coverage Diff           @@
##           master     #881   +/-   ##
=======================================
  Coverage   92.11%   92.11%           
=======================================
  Files         107      107           
  Lines        8105     8108    +3     
=======================================
+ Hits         7466     7469    +3     
  Misses        639      639
Files Changed Coverage Δ
piccolo/apps/user/tables.py 98.00% <100.00%> (+0.12%) ⬆️

@dantownsend
Copy link
Member

@Skelmis Thanks again for this. I've gone over it a few times, and done some testing, and it all seems solid to me 👍

I wrote a unit test to make sure nothing breaks in the future. I'm happy to merge this in, and put it in the next release.

@dantownsend dantownsend merged commit 022e22a into piccolo-orm:master Aug 25, 2023
37 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Skelmis @dantownsend @codecov-commenter