Noobaa Account: Replace bcrypt password hashing by argon2

package.json

@@ -81,6 +81,7 @@
     "ajv": "8.17.1",
     "aws-sdk": "2.1659.0",
     "bcrypt": "5.1.1",
+    "argon2": "0.40.3",
     "big-integer": "1.6.52",
     "bindings": "1.5.0",
     "bufferutil": "4.0.8",

src/server/common_services/auth_server.js

@@ -3,6 +3,7 @@
 
 const _ = require('lodash');
 const bcrypt = require('bcrypt');
+const argon2 = require('argon2');
 const ip_module = require('ip');
 
 const P = require('../../util/promise');
@@ -36,6 +37,14 @@ const s3_bucket_policy_utils = require('../../endpoint/s3/s3_bucket_policy_utils
  * a previously authenticated account.
  *
  */
+
+function compare_password_hash(password, target_account) {
+    if (bcrypt.compare(password.unwrap(), target_account.password.unwrap())) {
+        return true;
+    }
+    return (argon2.verify(target_account.password.unwrap(), password.unwrap()));
+}
+
 function create_auth(req) {
 
     const email = req.rpc_params.email;
@@ -66,7 +75,7 @@ function create_auth(req) {
             if (!password) return;
 
             return P.resolve()
-                .then(() => bcrypt.compare(password.unwrap(), target_account.password.unwrap()))
+                .then(() => compare_password_hash(password, target_account))
                 .then(match => {
                     if (!match) {
                         dbg.log0('password mismatch', email, system_name);

src/server/system_services/account_server.js

@@ -7,6 +7,7 @@ const net = require('net');
 const chance = require('chance')();
 const GoogleStorage = require('../../util/google_storage_wrap');
 const bcrypt = require('bcrypt');
+const argon2 = require('argon2');
 const server_rpc = require('../server_rpc');
 
 const config = require('../../../config');
@@ -79,7 +80,7 @@ async function create_account(req) {
 
     if (req.rpc_params.has_login) {
         account.password = req.rpc_params.password;
-        const password_hash = await bcrypt_password(account.password.unwrap());
+        const password_hash = await argon2_password(account.password.unwrap());
         account.password = password_hash;
     }
 
@@ -574,7 +575,7 @@ async function reset_password(req) {
 
     const params = req.rpc_params;
 
-    const password = await bcrypt_password(params.password.unwrap());
+    const password = await argon2_password(params.password.unwrap());
 
     const changes = {
         password: new SensitiveString(password),
@@ -1334,7 +1335,7 @@ function ensure_support_account() {
             }
 
             console.log('CREATING SUPPORT ACCOUNT...');
-            return bcrypt_password(system_store.get_server_secret())
+            return argon2_password(system_store.get_server_secret())
                 .then(password => {
                     const support_account = {
                         _id: system_store.new_system_store_id(),
@@ -1358,9 +1359,9 @@ function ensure_support_account() {
         });
 }
 
-function bcrypt_password(password) {
+function argon2_password(password) {
     return P.resolve()
-        .then(() => password && bcrypt.hash(password, 10));
+        .then(() => password && argon2.hash(password));
 }
 
 function is_support_or_admin_or_me(system, account, target_account) {
@@ -1454,7 +1455,10 @@ async function verify_authorized_account(req) {
     if (req.role === 'operator') {
         return true;
     }
-    return bcrypt.compare(req.rpc_params.verification_password.unwrap(), req.account.password.unwrap());
+    if (bcrypt.compare(req.rpc_params.verification_password.unwrap(), req.account.password.unwrap())) {
+        return true;
+    }
+    return argon2.verify(req.account.password.unwrap(), req.rpc_params.verification_password.unwrap());
 }
 
 function _list_connection_usage(account, credentials) {

src/server/system_services/schemas/account_schema.js

@@ -25,7 +25,7 @@ module.exports = {
 
         // password login
         has_login: { type: 'boolean' },
-        password: { wrapper: SensitiveString }, // bcrypted password
+        password: { wrapper: SensitiveString }, // argon2 password
         next_password_change: { date: true },
 
         // default policy for new buckets