feat(core,schemas): add support for argon2d and argon2id (#6404)

2024-12-16 20:26:19 -05:00 · 2024-08-06 15:12:47 +08:00 · 2024-08-06 15:12:47 +08:00 · d56bc2f731
commit d56bc2f731
parent 43d5bd248c
5 changed files with 88 additions and 3 deletions
--- a/.changeset/thirty-cups-joke.md
+++ b/.changeset/thirty-cups-joke.md
@ -0,0 +1,10 @@
 ---
 "@logto/schemas": minor
 "@logto/core": minor
 ---
 add support for new password digest algorithm argon2d and argon2id
 In `POST /users`, the `passwordAlgorithm` field now accepts `Argon2d` and `Argon2id`.
 Users with those algorithms will be migrated to `Argon2i` upon succussful sign in.
--- a/packages/core/src/libraries/user.test.ts
+++ b/packages/core/src/libraries/user.test.ts
@ -99,7 +99,7 @@ describe('encryptUserPassword()', () => {
 describe('verifyUserPassword()', () => {
  const { verifyUserPassword } = createUserLibrary(queries);
-  describe('Argon2', () => {
+  describe('Argon2i', () => {
    it('resolves when password is correct', async () => {
      await expect(verifyUserPassword(mockUser, 'password')).resolves.not.toThrowError();
    });
@ -111,6 +111,43 @@ describe('verifyUserPassword()', () => {
    });
  });
  describe('Argon2d', () => {
    const user = {
      ...mockUser,
      passwordEncrypted: '$argon2d$v=19$m=16,t=2,p=1$VW1JcEJrMjN1Vnp3Tm5JUA$Ddl/I6Zem7vbZ4r5jPCb/g',
      passwordEncryptionMethod: UsersPasswordEncryptionMethod.Argon2d,
    };
    it('resolves when password is correct', async () => {
      await expect(verifyUserPassword(user, 'password')).resolves.not.toThrowError();
    });
    it('rejects when password is incorrect', async () => {
      await expect(verifyUserPassword(user, 'wrong')).rejects.toThrowError(
        new RequestError({ code: 'session.invalid_credentials', status: 422 })
      );
    });
  });
  describe('Argon2id', () => {
    const user = {
      ...mockUser,
      passwordEncrypted:
        '$argon2id$v=19$m=16,t=2,p=1$VW1JcEJrMjN1Vnp3Tm5JUA$0uzNwxbjs/f/1e5r4uX7JQ',
      passwordEncryptionMethod: UsersPasswordEncryptionMethod.Argon2id,
    };
    it('resolves when password is correct', async () => {
      await expect(verifyUserPassword(user, 'password')).resolves.not.toThrowError();
    });
    it('rejects when password is incorrect', async () => {
      await expect(verifyUserPassword(user, 'wrong')).rejects.toThrowError(
        new RequestError({ code: 'session.invalid_credentials', status: 422 })
      );
    });
  });
  describe('MD5', () => {
    const user = {
      ...mockUser,
--- a/packages/core/src/libraries/user.ts
+++ b/packages/core/src/libraries/user.ts
@ -178,7 +178,10 @@ export const createUserLibrary = (queries: Queries) => {
    );
    switch (passwordEncryptionMethod) {
-      case UsersPasswordEncryptionMethod.Argon2i: {
+      // Argon2i, Argon2id, Argon2d shares the same verify function
      case UsersPasswordEncryptionMethod.Argon2i:
      case UsersPasswordEncryptionMethod.Argon2id:
      case UsersPasswordEncryptionMethod.Argon2d: {
        const result = await argon2Verify({ password, hash: passwordEncrypted });
        assertThat(result, new RequestError({ code: 'session.invalid_credentials', status: 422 }));
        break;
--- a/packages/schemas/alterations/next-1722926389-argon2d-argon2id.ts
+++ b/packages/schemas/alterations/next-1722926389-argon2d-argon2id.ts
@ -0,0 +1,35 @@
 import { sql } from '@silverhand/slonik';
 import type { AlterationScript } from '../lib/types/alteration.js';
 const alteration: AlterationScript = {
  up: async (pool) => {
    await pool.query(sql`
      alter type users_password_encryption_method add value 'Argon2id';
      alter type users_password_encryption_method add value 'Argon2d';
    `);
  },
  down: async (pool) => {
    const { rows } = await pool.query(sql`
      select id from users
      where password_encryption_method = ${'Argon2id'}
      or password_encryption_method = ${'Argon2d'}
    `);
    if (rows.length > 0) {
      throw new Error('There are users with password encryption methods Argon2id or Argon2d.');
    }
    await pool.query(sql`
      create type users_password_encryption_method_revised as enum ('Argon2i', 'SHA1', 'SHA256', 'MD5', 'Bcrypt');
      alter table users 
      alter column password_encryption_method type users_password_encryption_method_revised 
      using password_encryption_method::text::users_password_encryption_method_revised;
      drop type users_password_encryption_method;
      alter type users_password_encryption_method_revised rename to users_password_encryption_method;
    `);
  },
 };
 export default alteration;
--- a/packages/schemas/tables/users.sql
+++ b/packages/schemas/tables/users.sql
@ -1,6 +1,6 @@
 /* init_order = 1 */
-create type users_password_encryption_method as enum ('Argon2i', 'SHA1', 'SHA256', 'MD5', 'Bcrypt');
+create type users_password_encryption_method as enum ('Argon2i', 'Argon2id', 'Argon2d', 'SHA1', 'SHA256', 'MD5', 'Bcrypt');
 create table users (
  tenant_id varchar(21) not null