Unified password hashing
Uffd stores many secrets in its database. All short-lived are stored without encryption/hashing. Other secrets use different kinds of hashing (crypt vs. OpenLDAPs ssha512) with different implementations. All of the secrets (expect mfa.models.TOTPMethod.key) could — and IMHO should — be stored hashed.
A unified solution for password/secret hashing should replace all the custom ones currently used in the different places. For long-lived secrets we also need a way to gradually change hash algorithms (e.g. from ssha512 to argon2 for user passwords).
This is a prerequisite of #107 (closed), since it requires storing API/OAuth2 client secrets in the database and I don't want to implement yet another custom password hashing mechansim.
Passwords:
- user.models.User.password (salted sha512)
- signup.models.Signup.password (crypt)
Short-lived tokens:
- selfservice.models.PasswordToken.token (plain-text)
- selfservice.models.MailToken.token (plain-text)
- oauth2.models.OAuth2Grant.code (plain-text)
- oauth2.models.OAuth2Token.access_token/refresh_token (plain-text)
- session.models.DeviceLoginInitiation.secret (plain-text)
-
maybe invite.models.Invite.token? (plain-text)no we continuously make the link available to the creator - signup.models.Signup.token (plain-text)
Other secrets:
- APIClient.client_secret (plain-text in config, soon in DB)
- oauth2.models.OAuth2Client.client_secret (plain-text in config, soon in DB)
- mfa.models.RecoveryCodeMethod.code_hash (crypt)
- mfa.models.TOTPMethod.key (plain-text, cannot be hash, see #139)