From 76b931108e99d7bc665abcc26a52d97b7a1943fe Mon Sep 17 00:00:00 2001
From: Andrey Antukh <niwi@niwi.nz>
Date: Thu, 9 Mar 2023 17:36:17 +0100
Subject: [PATCH] :sparkles: Increase strenght of password hashing algorithm

And enable password update mechanism on login
---
 backend/src/app/auth.clj              | 15 +++++++++------
 backend/src/app/rpc/commands/auth.clj | 18 ++++++++++++------
 2 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/backend/src/app/auth.clj b/backend/src/app/auth.clj
index cabe859f3..5f7251bf9 100644
--- a/backend/src/app/auth.clj
+++ b/backend/src/app/auth.clj
@@ -6,15 +6,18 @@
 
 (ns app.auth
   (:require
-   [buddy.hashers :as hashers]))
+   [buddy.hashers :as hashers]
+   [promesa.exec :as px]))
+
+(def default-params
+  {:alg :argon2id
+   :memory (* 32768 2)
+   :iterations 5
+   :parallelism (px/get-available-processors)})
 
 (defn derive-password
   [password]
-  (hashers/derive password
-                  {:alg :argon2id
-                   :memory 16384
-                   :iterations 20
-                   :parallelism 2}))
+  (hashers/derive password default-params))
 
 (defn verify-password
   [attempt password]
diff --git a/backend/src/app/rpc/commands/auth.clj b/backend/src/app/rpc/commands/auth.clj
index f9ba7e87b..420805188 100644
--- a/backend/src/app/rpc/commands/auth.clj
+++ b/backend/src/app/rpc/commands/auth.clj
@@ -8,6 +8,7 @@
   (:require
    [app.common.data :as d]
    [app.common.exceptions :as ex]
+   [app.common.logging :as l]
    [app.common.spec :as us]
    [app.common.uuid :as uuid]
    [app.config :as cf]
@@ -61,14 +62,20 @@
               :code :login-disabled
               :hint "login is disabled in this instance"))
 
-  (letfn [(check-password [profile password]
+  (letfn [(check-password [conn profile password]
             (when (= (:password profile) "!")
               (ex/raise :type :validation
                         :code :account-without-password
                         :hint "the current account does not have password"))
-            (:valid (profile/verify-password cfg password (:password profile))))
+            (let [result (profile/verify-password cfg password (:password profile))]
+              (when (:update result)
+                (l/trace :hint "updating profile password" :id (:id profile) :email (:email profile))
+                (profile/update-profile-password! (assoc cfg ::db/conn conn)
+                                                  (assoc profile :password password)))
+              (:valid result)))
 
-          (validate-profile [profile]
+
+          (validate-profile [conn profile]
             (when-not profile
               (ex/raise :type :validation
                         :code :wrong-credentials))
@@ -78,7 +85,7 @@
             (when (:is-blocked profile)
               (ex/raise :type :restriction
                         :code :profile-blocked))
-            (when-not (check-password profile password)
+            (when-not (check-password conn profile password)
               (ex/raise :type :validation
                         :code :wrong-credentials))
             (when-let [deleted-at (:deleted-at profile)]
@@ -90,8 +97,7 @@
 
     (db/with-atomic [conn pool]
       (let [profile    (->> (profile/get-profile-by-email conn email)
-                            (validate-profile)
-                            (profile/decode-row)
+                            (validate-profile conn)
                             (profile/strip-private-attrs))
 
             invitation (when-let [token (:invitation-token params)]