feat: Argon2 support

CHANGELOG_engawa.md

@@ -16,6 +16,22 @@
 
 -->
 
+## 0.4.3 (unreleased)
+
+### Release Date
+
+### General
+- パスワードのハッシュでArgon2idをサポート
+	- bcryptによるハッシュは再ログイン時にArgon2idに置き換えられます
+
+### Client
+- 
+
+### Server
+-
+
+### Misc
+
 ## 0.4.2
 
 ### Release Date

packages/backend/package.json

@@ -104,6 +104,7 @@
 		"accepts": "1.3.8",
 		"ajv": "8.13.0",
 		"archiver": "7.0.1",
+		"argon2": "^0.40.3",
 		"async-mutex": "0.5.0",
 		"bcryptjs": "2.4.3",
 		"blurhash": "2.0.5",

packages/backend/src/core/CreateSystemUserService.ts

@@ -5,7 +5,7 @@
 
 import { randomUUID } from 'node:crypto';
 import { Inject, Injectable } from '@nestjs/common';
-import bcrypt from 'bcryptjs';
+import { hashPassword } from '@/misc/password.js';
 import { IsNull, DataSource } from 'typeorm';
 import { genRsaKeyPair } from '@/misc/gen-key-pair.js';
 import { MiUser } from '@/models/User.js';
@@ -32,8 +32,7 @@ export class CreateSystemUserService {
 		const password = randomUUID();
 
 		// Generate hash of password
-		const salt = await bcrypt.genSalt(8);
-		const hash = await bcrypt.hash(password, salt);
+		const hash = await hashPassword(password);
 
 		// Generate secret
 		const secret = generateNativeUserToken();

packages/backend/src/core/SignupService.ts

@@ -5,7 +5,7 @@
 
 import { generateKeyPair } from 'node:crypto';
 import { Inject, Injectable } from '@nestjs/common';
-import bcrypt from 'bcryptjs';
+import { hashPassword } from '@/misc/password.js';
 import { DataSource, IsNull } from 'typeorm';
 import { DI } from '@/di-symbols.js';
 import type { UsedUsernamesRepository, UsersRepository } from '@/models/_.js';
@@ -66,8 +66,7 @@ export class SignupService {
 			}
 
 			// Generate hash of password
-			const salt = await bcrypt.genSalt(8);
-			hash = await bcrypt.hash(password, salt);
+			hash = await hashPassword(password);
 		}
 
 		// Generate secret

packages/backend/src/misc/password.ts

@@ -0,0 +1,20 @@
+import bcrypt from 'bcryptjs';
+import * as argon2 from 'argon2';
+import { randomBytes } from 'crypto';
+
+export async function hashPassword(password: string): Promise<string> {
+	const salt = randomBytes(32);
+	return argon2.hash(password, { salt: salt, type: argon2.argon2id });
+}
+
+export async function comparePassword(password: string, hash: string): Promise<boolean> {
+	if (isOldAlgorithm(hash)) {
+		return bcrypt.compare(password, hash);
+	}
+
+	return argon2.verify(hash, password);
+}
+
+export function isOldAlgorithm(hash: string): boolean {
+	return hash.startsWith('$2');
+}

packages/backend/src/server/api/SigninApiService.ts

@@ -4,7 +4,7 @@
  */
 
 import { Inject, Injectable } from '@nestjs/common';
-import bcrypt from 'bcryptjs';
+import { comparePassword, hashPassword, isOldAlgorithm } from '@/misc/password.js';
 import * as OTPAuth from 'otpauth';
 import { IsNull } from 'typeorm';
 import { DI } from '@/di-symbols.js';
@@ -123,7 +123,12 @@ export class SigninApiService {
 		const profile = await this.userProfilesRepository.findOneByOrFail({ userId: user.id });
 
 		// Compare password
-		const same = await bcrypt.compare(password, profile.password!);
+		const same = await comparePassword(password, profile.password!);
+
+		if (same && isOldAlgorithm(profile.password!)) {
+			profile.password = await hashPassword(password);
+			await this.userProfilesRepository.save(profile);
+		}
 
 		const fail = async (status?: number, failure?: { id: string }) => {
 			// Append signin history

packages/backend/src/server/api/SignupApiService.ts

@@ -4,7 +4,6 @@
  */
 
 import { Inject, Injectable } from '@nestjs/common';
-import bcrypt from 'bcryptjs';
 import { IsNull } from 'typeorm';
 import { DI } from '@/di-symbols.js';
 import type { RegistrationTicketsRepository, UsedUsernamesRepository, UserPendingsRepository, UserProfilesRepository, UsersRepository, MiRegistrationTicket } from '@/models/_.js';
@@ -21,6 +20,7 @@ import { bindThis } from '@/decorators.js';
 import { L_CHARS, secureRndstr } from '@/misc/secure-rndstr.js';
 import { SigninService } from './SigninService.js';
 import type { FastifyRequest, FastifyReply } from 'fastify';
+import { hashPassword } from '@/misc/password.js';
 
 @Injectable()
 export class SignupApiService {
@@ -180,8 +180,7 @@ export class SignupApiService {
 			const code = secureRndstr(16, { chars: L_CHARS });
 
 			// Generate hash of password
-			const salt = await bcrypt.genSalt(8);
-			const hash = await bcrypt.hash(password, salt);
+			const hash = await hashPassword(password);
 
 			const pendingUser = await this.userPendingsRepository.insertOne({
 				id: this.idService.gen(),

packages/backend/src/server/api/endpoints/admin/reset-password.ts

@@ -4,12 +4,12 @@
  */
 
 import { Inject, Injectable } from '@nestjs/common';
-import bcrypt from 'bcryptjs';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import type { UsersRepository, UserProfilesRepository } from '@/models/_.js';
 import { DI } from '@/di-symbols.js';
 import { secureRndstr } from '@/misc/secure-rndstr.js';
 import { ModerationLogService } from '@/core/ModerationLogService.js';
+import { hashPassword } from '@/misc/password.js';
 
 export const meta = {
 	tags: ['admin'],
@@ -62,10 +62,10 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				throw new Error('cannot reset password of root');
 			}
 
-			const passwd = secureRndstr(8);
+			const passwd = secureRndstr(16);
 
 			// Generate hash of password
-			const hash = bcrypt.hashSync(passwd);
+			const hash = await hashPassword(passwd);
 
 			await this.userProfilesRepository.update({
 				userId: user.id,

packages/backend/src/server/api/endpoints/i/2fa/key-done.ts

@@ -3,7 +3,7 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
-import bcrypt from 'bcryptjs';
+import { comparePassword } from '@/misc/password.js';
 import { Inject, Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import { UserEntityService } from '@/core/entities/UserEntityService.js';
@@ -86,7 +86,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 				}
 			}
 
-			const passwordMatched = await bcrypt.compare(ps.password, profile.password ?? '');
+			const passwordMatched = await comparePassword(ps.password, profile.password ?? '');
 			if (!passwordMatched) {
 				throw new ApiError(meta.errors.incorrectPassword);
 			}

packages/backend/src/server/api/endpoints/i/2fa/register-key.ts

@@ -3,7 +3,7 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
-import bcrypt from 'bcryptjs';
+import { comparePassword } from '@/misc/password.js';
 import { Inject, Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import type { UserProfilesRepository } from '@/models/_.js';
@@ -217,7 +217,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 				}
 			}
 
-			const passwordMatched = await bcrypt.compare(ps.password, profile.password ?? '');
+			const passwordMatched = await comparePassword(ps.password, profile.password ?? '');
 			if (!passwordMatched) {
 				throw new ApiError(meta.errors.incorrectPassword);
 			}

packages/backend/src/server/api/endpoints/i/2fa/register.ts

@@ -3,7 +3,7 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
-import bcrypt from 'bcryptjs';
+import { comparePassword } from '@/misc/password.js';
 import * as OTPAuth from 'otpauth';
 import * as QRCode from 'qrcode';
 import { Inject, Injectable } from '@nestjs/common';
@@ -77,7 +77,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				}
 			}
 
-			const passwordMatched = await bcrypt.compare(ps.password, profile.password ?? '');
+			const passwordMatched = await comparePassword(ps.password, profile.password ?? '');
 			if (!passwordMatched) {
 				throw new ApiError(meta.errors.incorrectPassword);
 			}

packages/backend/src/server/api/endpoints/i/2fa/remove-key.ts

@@ -3,7 +3,7 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
-import bcrypt from 'bcryptjs';
+import { comparePassword } from '@/misc/password.js';
 import { Inject, Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import type { UserProfilesRepository, UserSecurityKeysRepository } from '@/models/_.js';
@@ -66,7 +66,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				}
 			}
 
-			const passwordMatched = await bcrypt.compare(ps.password, profile.password ?? '');
+			const passwordMatched = await comparePassword(ps.password, profile.password ?? '');
 			if (!passwordMatched) {
 				throw new ApiError(meta.errors.incorrectPassword);
 			}

packages/backend/src/server/api/endpoints/i/2fa/unregister.ts

@@ -3,7 +3,7 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
-import bcrypt from 'bcryptjs';
+import { comparePassword } from '@/misc/password.js';
 import { Inject, Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import { UserEntityService } from '@/core/entities/UserEntityService.js';
@@ -62,7 +62,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				}
 			}
 
-			const passwordMatched = await bcrypt.compare(ps.password, profile.password ?? '');
+			const passwordMatched = await comparePassword(ps.password, profile.password ?? '');
 			if (!passwordMatched) {
 				throw new ApiError(meta.errors.incorrectPassword);
 			}

packages/backend/src/server/api/endpoints/i/change-password.ts

@@ -3,7 +3,7 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
-import bcrypt from 'bcryptjs';
+import { hashPassword, comparePassword } from '@/misc/password.js';
 import { Inject, Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import type { UserProfilesRepository } from '@/models/_.js';
@@ -50,15 +50,14 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				}
 			}
 
-			const passwordMatched = await bcrypt.compare(ps.currentPassword, profile.password!);
+			const passwordMatched = await comparePassword(ps.currentPassword, profile.password!);
 
 			if (!passwordMatched) {
 				throw new Error('incorrect password');
 			}
 
 			// Generate hash of password
-			const salt = await bcrypt.genSalt(8);
-			const hash = await bcrypt.hash(ps.newPassword, salt);
+			const hash = await hashPassword(ps.newPassword);
 
 			await this.userProfilesRepository.update(me.id, {
 				password: hash,

packages/backend/src/server/api/endpoints/i/delete-account.ts

@@ -3,7 +3,7 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
-import bcrypt from 'bcryptjs';
+import { comparePassword } from '@/misc/password.js';
 import { Inject, Injectable } from '@nestjs/common';
 import type { UsersRepository, UserProfilesRepository } from '@/models/_.js';
 import { Endpoint } from '@/server/api/endpoint-base.js';
@@ -59,7 +59,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				return;
 			}
 
-			const passwordMatched = await bcrypt.compare(ps.password, profile.password!);
+			const passwordMatched = await comparePassword(ps.password, profile.password!);
 			if (!passwordMatched) {
 				throw new Error('incorrect password');
 			}

packages/backend/src/server/api/endpoints/i/regenerate-token.ts

@@ -3,7 +3,7 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
-import bcrypt from 'bcryptjs';
+import { comparePassword } from '@/misc/password.js';
 import { Inject, Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import type { UsersRepository, UserProfilesRepository } from '@/models/_.js';
@@ -43,7 +43,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
 
 			// Compare password
-			const same = await bcrypt.compare(ps.password, profile.password!);
+			const same = await comparePassword(ps.password, profile.password!);
 
 			if (!same) {
 				throw new Error('incorrect password');

packages/backend/src/server/api/endpoints/i/update-email.ts

@@ -5,7 +5,7 @@
 
 import { Inject, Injectable } from '@nestjs/common';
 import ms from 'ms';
-import bcrypt from 'bcryptjs';
+import { comparePassword } from '@/misc/password.js';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import type { UserProfilesRepository } from '@/models/_.js';
 import { UserEntityService } from '@/core/entities/UserEntityService.js';
@@ -95,7 +95,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				}
 			}
 
-			const passwordMatched = await bcrypt.compare(ps.password, profile.password!);
+			const passwordMatched = await comparePassword(ps.password, profile.password!);
 			if (!passwordMatched) {
 				throw new ApiError(meta.errors.incorrectPassword);
 			}

packages/backend/src/server/api/endpoints/reset-password.ts

@@ -3,7 +3,7 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
-import bcrypt from 'bcryptjs';
+import { hashPassword } from '@/misc/password.js';
 import { Inject, Injectable } from '@nestjs/common';
 import type { UserProfilesRepository, PasswordResetRequestsRepository } from '@/models/_.js';
 import { Endpoint } from '@/server/api/endpoint-base.js';
@@ -53,8 +53,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			}
 
 			// Generate hash of password
-			const salt = await bcrypt.genSalt(8);
-			const hash = await bcrypt.hash(ps.password, salt);
+			const hash = await hashPassword(ps.password);
 
 			await this.userProfilesRepository.update(req.userId, {
 				password: hash,