upd: flip rehash behavior, convert argon2 into bcrypt
What does this PR do? (Please give us a brief description of what this PR does.)
argon2 is only really used to allow migrations from firefish & forks (& foundkey).
using argon2 for everything prevents seamless migrations to upstream misskey in exchange for a debatable¹² increase in security.
so, let's keep accepting existing argon2 hashes to keep the firefish migration path seamless, but rehash them to bcrypt on login.
¹: https://infosec.exchange/@epixoip/110912922574721750, https://github.com/epixoip/hmac-bcrypt/?tab=readme-ov-file#justification
²: the bcrypt implementation used in misskey doesn't support passwords > 72 bytes, but we cannot do anything about that without breaking compatibility, bringing us back to where we started (upstream; if you're reading this, please consider hmac-bcrypt!)
Contribution Guidelines By submitting this merge request, you agree to follow our Contribution Guidelines
-
I agree to follow this project's Contribution Guidelines -
I have made sure to test this pull request