-
Notifications
You must be signed in to change notification settings - Fork 325
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Brig] Move password verification to the AuthenticationSubsystem, move to Argon2id with default settings. #4271
base: develop
Are you sure you want to change the base?
Conversation
cdb06a4
to
8189763
Compare
f6c408d
to
1bdae8c
Compare
586b48e
to
b8a0ef3
Compare
40496f4
to
7aa6812
Compare
d87fbc1
to
e4cb90f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here is a partial review
salt <- newSalt 32 | ||
salt <- newSalt 16 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't have the context, but why this change?
-- CryptoFailed occurs when salt, output or input are too small/big. | ||
-- since we control those values ourselves, it should never have a runtime error | ||
CryptoFailed cErr -> error $ "Impossible error: " <> show cErr |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So still something to change given the comment?
|
||
------------------------------------------------------------------------------- | ||
-- Generate test passwords, benchmark | ||
|
||
genTestPasswords :: IO [(Text, Text)] | ||
genTestPasswords = replicateM 100 do | ||
pwd <- genPassword | ||
hash <- mkSafePassword pwd | ||
pure (fromPlainTextPassword pwd, fromPassword hash) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This sounds like it belongs to a test module instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Requires access to private functions, unsafe to deconstruct the opaque password type. I should document it.
import Wire.UserKeyStore | ||
|
||
data AuthenticationSubsystem m a where | ||
VerifyPassword :: Local UserId -> PlainTextPassword6 -> AuthenticationSubsystem m () | ||
VerifyPasswordE :: Local UserId -> PlainTextPassword6 -> AuthenticationSubsystem m () |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is "E" in the name?
VerifyPassword :: PlainTextPassword6 -> Password -> AuthenticationSubsystem m (Bool, PasswordStatus) | ||
VerifyUserPassword :: UserId -> PlainTextPassword6 -> AuthenticationSubsystem r (Bool, PasswordStatus) | ||
VerifyProviderPassword :: ProviderId -> PlainTextPassword6 -> AuthenticationSubsystem r (Bool, PasswordStatus) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How is the 6-character password topic related to the Scrypt vs. Argon2id topic? Does the choice of algorithm apply the minimal length?
PasswordStore.lookupHashedProviderPassword pid | ||
>>= maybe (throw AuthenticationSubsystemBadCredentials) pure |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PasswordStore.lookupHashedProviderPassword pid | |
>>= maybe (throw AuthenticationSubsystemBadCredentials) pure | |
PasswordStore.lookupHashedProviderPassword pid >>= noteS @'AuthenticationSubsystemBadCredentials |
PasswordStore.lookupHashedPassword uid | ||
>>= maybe (throw AuthenticationSubsystemBadCredentials) pure |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
@@ -16,6 +16,12 @@ interpretPasswordStore casClient = | |||
runEmbedded (runClient casClient) . \case | |||
UpsertHashedPassword uid password -> embed $ updatePasswordImpl uid password | |||
LookupHashedPassword uid -> embed $ lookupPasswordImpl uid | |||
LookupHashedProviderPassword pid -> embed $ lookupProviderPasswordImpl pid |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is there a need to treat provider password differently, i.e., why do we have this action?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, different table.
suspendTimeout: 4 | ||
suspendTimeout: 10 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why this change?
@@ -100,6 +106,7 @@ registerOAuthClient (OAuthClientConfig name uri) = do | |||
createSecret :: (MonadIO m) => m OAuthClientPlainTextSecret | |||
createSecret = OAuthClientPlainTextSecret <$> rand32Bytes | |||
|
|||
-- TODO(elland): figure out why |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Something still to do.
Have you searched for all usages of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some more comments inlined.
Given that this is changing the default hashing algorithm, and we forgot to do it before in some places, what would be good tests to add to capture this change?
authenticate u pw = | ||
-- TODO: Move this logic into auth subsystem. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Still something to do.
@@ -225,10 +231,10 @@ reauthenticate u pw = | |||
where | |||
maybeReAuth pw' = case pw of | |||
Nothing -> do | |||
musr <- lookupUser NoPendingInvitations u | |||
musr <- wrapClientE $ lookupUser NoPendingInvitations u |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't we have an equivalent in the UserStore
effect?
@@ -265,20 +273,31 @@ activateAccountKey key val = do | |||
lift $ sendApprovalConfirmMail name email | |||
pure . Just $ Public.ProviderActivationResponse email | |||
|
|||
getActivationCodeH :: (Member GalleyAPIAccess r, Member VerificationCodeSubsystem r) => EmailAddress -> (Handler r) Code.KeyValuePair | |||
getActivationCodeH :: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could drop this wai-routes
convention of ending handler names with "H" now that you've already changed the line.
da03847
to
5ced70d
Compare
https://wearezeta.atlassian.net/browse/WPB-9746
Checklist
changelog.d