Forceu
diff --git a/‎docs/advanced.rst‎
Lines changed: 3 additions & 14 deletions b/‎docs/advanced.rst‎
Lines changed: 3 additions & 14 deletions
diff --git a/‎internal/configuration/Configuration.go‎
Lines changed: 77 additions & 22 deletions b/‎internal/configuration/Configuration.go‎
Lines changed: 77 additions & 22 deletions
@@ -589,24 +589,13 @@ Contains the server configuration. If you want to deploy Gokapi in multiple inst
 Modifying config.json to deploy without setup
 ====================================================
 
-If you want to deploy Gokapi to multiple instances that contain different data, you have to modify the config.json. Open it and change the following fields:
-
-+-----------+------------------------------------------------------------+----------------------+
-| Field     | Operation                                                  | Example              |
-+===========+============================================================+======================+
-| SaltAdmin | Change to empty value                                      | "SaltAdmin": "",     |
-+-----------+------------------------------------------------------------+----------------------+
-| SaltFiles | Change to empty value                                      | "SaltFiles": "",     |
-+-----------+------------------------------------------------------------+----------------------+
-| Username  | Change to the username of your preference,                 | "Username": "admin", |
-|           |                                                            |                      |
-|           | if you are using internal username/password authentication |                      |
-+-----------+------------------------------------------------------------+----------------------+
+If you are deploying Gokapi across multiple instances with different datasets, there is no need to modify the ``config.json`` file anymore. The only time you should update it is when using internal username/password authentication and you want to change the admin username. In that case, simply update the ``Username`` field in the file.
+
 
 Setting an admin password
 ====================================================
 
-If you are using internal username/password authentication, run the binary with the parameter ``--deployment-password [YOUR_PASSWORD]``. This sets the password and also generates a new salt for the password. This has to be done before Gokapi is run for the first time on the new instance. Alternatively you can do this on the orchestrating machine and then copy the configuration file and database to the new instance.
+If you are using internal username/password authentication, run the binary with the parameter ``--deployment-password [YOUR_PASSWORD]``. This sets the password in the database. This has to be done before Gokapi is run for the first time on the new instance. Alternatively you can do this on the orchestrating machine and then copy the configuration file and database to the new instance.
 
 If you are using a Docker image, this has to be done by starting a container with the entrypoint ``/app/run.sh``, for example: ::
 
 
@@ -23,6 +23,7 @@ import (
 	"github.com/forceu/gokapi/internal/logging"
 	"github.com/forceu/gokapi/internal/models"
 	"github.com/forceu/gokapi/internal/storage/filesystem"
+	"golang.org/x/crypto/argon2"
 )
 
 // parsedEnvironment is an object containing the environment variables
@@ -195,7 +196,7 @@ func SetDeploymentPassword(newPassword string) {
 		os.Exit(1)
 	}
 	serverSettings.Authentication.SaltAdmin = helper.GenerateRandomString(30)
-	err := database.EditSuperAdmin(serverSettings.Authentication.Username, hashUserPassword(newPassword))
+	err := database.EditSuperAdmin(serverSettings.Authentication.Username, HashPassword(newPassword, false, ""))
 	if err != nil {
 		fmt.Println("No super-admin user found, but database contains other users. Aborting.")
 		os.Exit(1)
@@ -207,34 +208,88 @@ func SetDeploymentPassword(newPassword string) {
 	os.Exit(0)
 }
 
-// HashPassword hashes a string with SHA1 the file salt or admin user salt
-func HashPassword(password string, useFileSalt bool) string {
-	if useFileSalt {
-		return hashFilePassword(password)
-	}
-	return hashUserPassword(password)
-}
-
-func hashFilePassword(password string) string {
-	return HashPasswordCustomSalt(password, serverSettings.Authentication.SaltFiles)
+// Deprecated: SHA1 is not secure, this is only used for migrating
+// passwords from <v2.2.5 to the current version
+// Will be removed soon.
+func hashSha1(password, salt string) string {
+	pwBytes := []byte(password + salt)
+	hash := sha1.New()
+	hash.Write(pwBytes)
+	return hex.EncodeToString(hash.Sum(nil))
 }
 
-func hashUserPassword(password string) string {
-	return HashPasswordCustomSalt(password, serverSettings.Authentication.SaltAdmin)
-}
+const (
+	argonTime    = 2
+	argonMemory  = 28 * 1024 // 28 MB
+	argonThreads = 1
+	argonKeyLen  = 32
+	argonSaltLen = 16
+)
 
-// HashPasswordCustomSalt hashes a password with SHA1 and the provided salt
-func HashPasswordCustomSalt(password, salt string) string {
+// HashPassword hashes a password with Argon2id.
+// useOldHash is used for migrating from <v2.2.5 to the current version
+// Will be removed soon.
+// legacySalt is only used for migrating from <v2.2.5 to the current version
+func HashPassword(password string, useOldHash bool, legacySalt string) string {
 	if password == "" {
 		return ""
 	}
-	if salt == "" {
-		panic(errors.New("no salt provided"))
+	pwBytes := []byte(password + legacySalt)
+	if useOldHash {
+		if legacySalt == "" {
+			panic(errors.New("no salt provided for legacy hash"))
+		}
+		hash := sha1.New()
+		hash.Write(pwBytes)
+		return hex.EncodeToString(hash.Sum(nil))
 	}
-	pwBytes := []byte(password + salt)
-	hash := sha1.New()
-	hash.Write(pwBytes)
-	return hex.EncodeToString(hash.Sum(nil))
+	// Argon2id: generate a fresh random salt, ignore the global salt
+	randomSalt := []byte(helper.GenerateRandomString(argonSaltLen))
+	hash := argon2.IDKey(
+		[]byte(password),
+		randomSalt,
+		argonTime,
+		argonMemory,
+		argonThreads,
+		argonKeyLen,
+	)
+
+	return fmt.Sprintf("argon2id$%s$%s",
+		hex.EncodeToString(randomSalt),
+		hex.EncodeToString(hash),
+	)
+}
+
+// VerifyPassword checks a plaintext password against a stored hash.
+// If hash is still SHA1, it will check the sha1 hash and return the second parameter as true, to indicate
+// that the hash was generated with the old hash function and requires rehashing
+// Oherwise argon2 will be used and the second parameter will be false
+func VerifyPassword(password, storedHash, legacySalt string) (bool, bool) {
+	if len(storedHash) == 40 {
+		hashedPassword := hashSha1(password, legacySalt)
+		return helper.IsEqualStringConstantTime(hashedPassword, storedHash), true
+	}
+
+	parts := strings.Split(storedHash, "$")
+	if len(parts) != 3 || parts[0] != "argon2id" {
+		return false, false
+	}
+
+	salt, err := hex.DecodeString(parts[1])
+	if err != nil {
+		return false, false
+	}
+
+	hash := argon2.IDKey(
+		[]byte(password),
+		salt,
+		argonTime,
+		argonMemory,
+		argonThreads,
+		argonKeyLen,
+	)
+	hashedPassword := hex.EncodeToString(hash)
+	return helper.IsEqualStringConstantTime(hashedPassword, parts[2]), false
 }
 
 // End2EndReconfigParameters contains values on how to reset E2E, if requested