Can I create new individual users via the rest API, post to principal, with argon2 secrets? #108
Closed
JanAxelJonsson
started this conversation in
General
Replies: 1 comment
-
|
Solved: Just changed from adding user "kalle" to "jan and it work. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
I make a call via the REST API to create a new individual, to the call /principal
with hash from 'openssl paswd -6' it works, for example '$6$m15MG2vGAQG0rWN/$9H5YokW.Xgu1YRPKRNhJ67gR/wFz33pTZ.5akE95X8nwlgqZgocxtZiq9eg5NoaqK/pKfCVYoTbRzB0x8yO5P1';
with an ardon2 hash is does not work, se below (the api call works, but the user 'kalle' can not login, get invalid password.
I am testing with a stalwart installation that is totally setup with defaults, no config changes:
data in the POST call to API/principal
data {
type: 'individual',
name: 'kalle',
description: 'kalle petterson',
secrets: [
'$argon2id$v=19$m=64000,t=3,p=1$pAbSHQuc4pTL7C11mNsJHA$9U1V0RxsZGKgG7l8jHBl9igRurbW4wil3ZruS2ad2e8'
],
emails: [ '[email protected]' ],
roles: [ 'user' ]
}
question, is it possible to do this way? Do I need to add argon2 support to stalwart?
this is the way I do calulate hashes:
//node.hs myhash.js:
import child_process from "node:child_process";
import util from "node:util";
import * as argon2 from "argon2";
import * as crypto from "crypto";
//own dependencies
import logger from "./logger.js";
// silly exec "openssh" shell version of sha512 -- WORKS
const execFile = util.promisify(child_process.execFile);
export async function hashPasswordOpenSSL(password) {
logger.info('myhash.js','hashPasswordOpenSSL-password',password);
const { stdout } = await execFile("openssl",
["passwd", "-6", password]);
return stdout.trim(); // e.g. "$6$$"
}
//argon2 version -- DOES NOT WORK WITH STALWART
const hashingConfig = { // based on OWASP cheat sheet recommendations (as of March, 2022)
parallelism: 1,
memoryCost: 64000, // 64 mb
timeCost: 3 // number of itetations
}
export async function hashPasswordArgon2(password) { ////// this is the call used
let salt = crypto.randomBytes(16);
return await argon2.hash(password, {
...hashingConfig,
salt,
})
}
export async function verifyPasswordWithHashArgon2(password, hash) {
return await argon2.verify(hash, password, hashingConfig);
}
Beta Was this translation helpful? Give feedback.
All reactions