Commit Graph

11 Commits

Author SHA1 Message Date
Valentin Tolmer
5cb07b9780 dependencies: update opaque_ke to v2
This is a breaking change: it changes the way the password data is
serialized in the DB, so any saved password is no longer readable (all
passwords have to get reset).
2022-11-21 12:22:10 +01:00
Valentin Tolmer
5e2eea0d97 sqlx: update dependency and protect against injections 2022-06-26 11:55:37 +02:00
Hendrik Schlehlein
82df8d4ca1 feat: add simple login 2022-03-04 12:04:10 +01:00
Valentin Tolmer
ddeb4c3ce3 cargo: Bump the version number to 0.3.0-alpha.1 2021-11-29 15:50:43 +01:00
Valentin Tolmer
790fd7c5d1 cargo: Update to 2021 edition 2021-11-23 00:25:47 +01:00
Valentin Tolmer
4551e27b55 server, auth: Update some dependencies 2021-11-23 00:25:47 +01:00
Valentin Tolmer
77ced7ea43 misc: Forbid non-ascii identifiers
That prevents a class of unicode attacks, e.g. invisible characters.
2021-11-23 00:25:47 +01:00
Valentin Tolmer
aa8bbf96f8 cargo: Bump the version to 0.2.0 2021-10-20 08:58:36 +02:00
Valentin Tolmer
f026e7cd38 auth: Add a disclaimer around the argon hash
Some people initially thought that the fixed salt was a security flaw.
This comment clarifies the role of the Argon hash and justifies the
fixed salt.
2021-10-20 08:58:36 +02:00
Valentin Tolmer
73a39fecf0 opaque: Lower the compute cost
This reduces the time to validate a password, at a minor cost of
security (makes bruteforcing the DB easier, but still really hard).

Note: this invalidates all current passwords. It is recommended to
delete the admin user directly in sqlite:

$ sqlite3 users.db
> DELETE from users WHERE user_id = "admin";

It will be recreated with the reset password when restarting the server.
The admin can then reset other users' passwords.
2021-10-15 08:05:50 +02:00
Valentin Tolmer
3eb53ba5bf model: rename to auth
Since the "model" doesn't contain any message from the API anymore, and
instead contains only the structures needed for authentication, it was
renamed as such.
2021-08-31 20:32:55 +02:00