Update KDF Configuration and processing

- Change default Password Hash KDF Storage from 100_000 to 600_000 iterations - Update Password Hash when the default iteration value is different - Validate password_iterations - Validate client-side KDF to prevent it from being set lower than 100_000
2025-11-26 04:26:15 -05:00 · 2023-01-24 13:06:31 +01:00
parent 9b7e86efc2
commit 2d8c8e18f7
6 changed files with 35 additions and 15 deletions
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@@ -130,7 +130,7 @@ async fn _password_login(

    // Get the user
    let username = data.username.as_ref().unwrap().trim();
-    let user = match User::find_by_mail(username, conn).await {
+    let mut user = match User::find_by_mail(username, conn).await {
        Some(user) => user,
        None => err!("Username or password is incorrect. Try again", format!("IP: {}. Username: {}.", ip.ip, username)),
    };
@@ -150,6 +150,16 @@ async fn _password_login(
        )
    }

+    // Change the KDF Iterations
+    if user.password_iterations != CONFIG.password_iterations() {
+        user.password_iterations = CONFIG.password_iterations();
+        user.set_password(password, false, None);
+
+        if let Err(e) = user.save(conn).await {
+            error!("Error updating user: {:#?}", e);
+        }
+    }
+
    // Check if the user is disabled
    if !user.enabled {
        err!(
@@ -172,7 +182,6 @@ async fn _password_login(
            if resend_limit == 0 || user.login_verify_count < resend_limit {
                // We want to send another email verification if we require signups to verify
                // their email address, and we haven't sent them a reminder in a while...
-                let mut user = user;
                user.last_verifying_at = Some(now);
                user.login_verify_count += 1;