upd: flip rehash behavior, convert argon2 into bcrypt (!444) · Merge requests · TransFem.org / Sharkey

S Kopper requested to merge kopper/Sharkey:argon2-rehash into develop Feb 25, 2024

What does this PR do? (Please give us a brief description of what this PR does.)

argon2 is only really used to allow migrations from firefish & forks (& foundkey).

using argon2 for everything prevents seamless migrations to upstream misskey in exchange for a debatable¹² increase in security.

so, let's keep accepting existing argon2 hashes to keep the firefish migration path seamless, but rehash them to bcrypt on login.

¹: https://infosec.exchange/@epixoip/110912922574721750, https://github.com/epixoip/hmac-bcrypt/?tab=readme-ov-file#justification

²: the bcrypt implementation used in misskey doesn't support passwords > 72 bytes, but we cannot do anything about that without breaking compatibility, bringing us back to where we started (upstream; if you're reading this, please consider hmac-bcrypt!)

Contribution Guidelines By submitting this merge request, you agree to follow our Contribution Guidelines

I agree to follow this project's Contribution Guidelines
I have made sure to test this pull request

upd: flip rehash behavior, convert argon2 into bcrypt

Merge request reports