1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-18 03:20:59 +01:00
phorge-phorge/src/applications/auth
epriestley 21e415299f Mark all existing password hashes as "legacy" and start upgrading digest formats
Summary:
Depends on D18907. Ref T13043. Ref T12509. We have some weird old password digest behavior that isn't terribly concerning, but also isn't great.

Specifically, old passwords were digested in weird ways before being hashed. Notably, account passwords were digested with usernames, so your password stops working if your username is chagned. Not the end of the world, but silly.

Mark all existing hashes as "v1", and automatically upgrade then when they're used or changed. Some day, far in the future, we could stop supporting these legacy digests and delete the code and passwords and just issue upgrade advice ("Passwords which haven't been used in more than two years no longer work."). But at least get things on a path toward sane, modern behavior.

Test Plan: Ran migration. Spot-checked that everthing in the database got marked as "v1". Used an existing password to login successfully. Verified that it was upgraded to a `null` (modern) digest. Logged in with it again.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13043, T12509

Differential Revision: https://secure.phabricator.com/D18908
2018-01-23 14:01:09 -08:00
..
__tests__ Add test coverage to the PasswordEngine upgrade workflow and fix a few bugs 2018-01-23 10:55:35 -08:00
action Add a rate limit for guessing old passwords when changing passwords 2018-01-23 13:46:06 -08:00
application Add a bin/auth revoke revoker for SSH keys 2018-01-22 15:35:07 -08:00
capability Auth - add "manage providers" capability 2015-01-12 14:37:58 -08:00
conduit Deactivate SSH keys instead of destroying them completely 2016-05-18 14:54:28 -07:00
constants Support invites in the registration and login flow 2015-02-11 06:06:28 -08:00
controller Move account passwords to shared infrastructure 2018-01-23 13:43:07 -08:00
data Add session and request hooks to PhabricatorAuthSessionEngine 2016-11-17 13:09:29 -08:00
editor When administrators revoke SSH keys, don't include a "security warning" in the mail 2018-01-23 14:00:13 -08:00
engine Move account passwords to shared infrastructure 2018-01-23 13:43:07 -08:00
exception Add email invites to Phabricator (logic only) 2015-02-09 16:12:36 -08:00
extension Add a more modern object for storing password hashes 2018-01-22 15:35:28 -08:00
factor Fix spelling 2017-10-09 10:48:04 -07:00
garbagecollector Provide bin/garbage for interacting with garbage collection 2015-10-02 09:17:24 -07:00
guidance Add a bunch of Phacility-specific code to the upstream, thinly veiled as generic code 2016-11-15 09:11:22 -08:00
handler Modularize generation of supplemental login messages 2015-09-04 10:34:39 -07:00
mail Send forced mail on SSH key edits 2016-05-19 15:01:25 -07:00
management Remove "set password" from bin/accountadmin and let bin/auth recover recover anyone 2018-01-23 10:58:11 -08:00
password Bring new password validation into AuthPasswordEngine 2018-01-23 10:58:37 -08:00
phid Add a more modern object for storing password hashes 2018-01-22 15:35:28 -08:00
provider Move account passwords to shared infrastructure 2018-01-23 13:43:07 -08:00
query Add test coverage to the PasswordEngine upgrade workflow and fix a few bugs 2018-01-23 10:55:35 -08:00
revoker When administrators revoke SSH keys, don't include a "security warning" in the mail 2018-01-23 14:00:13 -08:00
sshkey Send forced mail on SSH key edits 2016-05-19 15:01:25 -07:00
storage Mark all existing password hashes as "legacy" and start upgrading digest formats 2018-01-23 14:01:09 -08:00
tokentype Redesign Config Application 2016-08-29 15:49:49 -07:00
view Add ViewController and SearchEngine for SSH Public Keys 2016-05-19 09:48:46 -07:00
worker Send emails for email invites 2015-02-11 06:06:09 -08:00
xaction Add test coverage to the PasswordEngine upgrade workflow and fix a few bugs 2018-01-23 10:55:35 -08:00