Commit Graph

12 Commits

Author SHA1 Message Date
Valentin Tolmer
278fb1630d server: implement haveibeenpwned endpoint
See #39.
2023-04-04 20:34:37 +02:00
Valentin Tolmer
afe91c7cc0 release: 0.4.2 2023-03-27 11:07:24 +02:00
Valentin Tolmer
5e2eea0d97 sqlx: update dependency and protect against injections 2022-06-26 11:55:37 +02:00
Hendrik Schlehlein
82df8d4ca1 feat: add simple login 2022-03-04 12:04:10 +01:00
Valentin Tolmer
ddeb4c3ce3 cargo: Bump the version number to 0.3.0-alpha.1 2021-11-29 15:50:43 +01:00
Valentin Tolmer
790fd7c5d1 cargo: Update to 2021 edition 2021-11-23 00:25:47 +01:00
Valentin Tolmer
4551e27b55 server, auth: Update some dependencies 2021-11-23 00:25:47 +01:00
Valentin Tolmer
77ced7ea43 misc: Forbid non-ascii identifiers
That prevents a class of unicode attacks, e.g. invisible characters.
2021-11-23 00:25:47 +01:00
Valentin Tolmer
aa8bbf96f8 cargo: Bump the version to 0.2.0 2021-10-20 08:58:36 +02:00
Valentin Tolmer
f026e7cd38 auth: Add a disclaimer around the argon hash
Some people initially thought that the fixed salt was a security flaw.
This comment clarifies the role of the Argon hash and justifies the
fixed salt.
2021-10-20 08:58:36 +02:00
Valentin Tolmer
73a39fecf0 opaque: Lower the compute cost
This reduces the time to validate a password, at a minor cost of
security (makes bruteforcing the DB easier, but still really hard).

Note: this invalidates all current passwords. It is recommended to
delete the admin user directly in sqlite:

$ sqlite3 users.db
> DELETE from users WHERE user_id = "admin";

It will be recreated with the reset password when restarting the server.
The admin can then reset other users' passwords.
2021-10-15 08:05:50 +02:00
Valentin Tolmer
3eb53ba5bf model: rename to auth
Since the "model" doesn't contain any message from the API anymore, and
instead contains only the structures needed for authentication, it was
renamed as such.
2021-08-31 20:32:55 +02:00