✨ Update default hasher to argon2id.

2025-01-08 07:50:43 -05:00 · 2020-12-03 12:59:23 +01:00 · 2020-12-03 12:59:23 +01:00 · c21dc7ea7f
commit c21dc7ea7f
parent b92045f905
2 changed files with 15 additions and 5 deletions
--- a/backend/deps.edn
+++ b/backend/deps.edn
@ -38,9 +38,9 @@
  funcool/promesa {:mvn/version "5.1.0"}
  funcool/cuerdas {:mvn/version "2020.03.26-3"}

-  buddy/buddy-core {:mvn/version "1.8.0"}
-  buddy/buddy-hashers {:mvn/version "1.6.0"}
-  buddy/buddy-sign {:mvn/version "3.2.0"}
+  buddy/buddy-core {:mvn/version "1.9.0"}
+  buddy/buddy-hashers {:mvn/version "1.7.0"}
+  buddy/buddy-sign {:mvn/version "3.3.0"}

  lambdaisland/uri {:mvn/version "1.4.54"
                    :exclusions [org.clojure/data.json]}
--- a/backend/src/app/services/mutations/profile.clj
+++ b/backend/src/app/services/mutations/profile.clj
@ -27,6 +27,7 @@
   [app.util.time :as dt]
   [buddy.hashers :as hashers]
   [clojure.spec.alpha :as s]
+   [clojure.tools.logging :as log]
   [cuerdas.core :as str]))

 ;; --- Helpers & Specs
@ -138,11 +139,20 @@

 (defn- derive-password
  [password]
-  (hashers/derive password {:alg :bcrypt+sha512}))
+  (hashers/derive password
+                  {:alg :argon2id
+                   :memory 16384
+                   :iterations 20
+                   :parallelism 2}))

 (defn- verify-password
  [attempt password]
-  (hashers/verify attempt password))
+  (try
+    (hashers/verify attempt password)
+    (catch Exception e
+      (log/warnf e "Error on verify password (only informative, nothing affected to user).")
+      {:update false
+       :valid false})))

 (defn- create-profile
  "Create the profile entry on the database with limited input