-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support local signin #36
Comments
I would like to request putting this back onto an agenda (i.e. assign a milestone to it). I believe this to be of major importance for a self-hosted tool. |
OK, I would like to add this back in track, but only for self-hosted usage. Because holding password is a high risky and complex behavior, official service won't enable this feature. |
"self hosted only" is fine with me, that's exactly my use-case :) Can I somehow help? Ideally you'd store not the password but a bcrypt (more widely known) or scrypt (more recent, supposed to be stronger) hash. That way, If anything did happen to the database, there's very little value in the password hashes themselves. |
We use passport.js to auth our users. |
I'm trying to find documentation on how they store passwords, their bcrypt examples seem to have vanished. At the moment it looks to me as if they'd actually store them in plain text which would be extremely bad. But I might well be wrong, given that I've never used their code before. |
I found that too, plaintext won't be acceptable. http://blog.robertonodi.me/node-authentication-series-email-and-password/ |
Aah! Looking at them now! One of the nice things about the two functions is, that they implement salting along the way! No need to add this yourself. You get a long twisted thing back, that also contains information on how strong it has been hashed and its salt value. There's a more detailed answer. Example 1 uses pbkdf2 which is a little bit dated, but better than nothing. Example 3 hashes passwords here: https://gist.github.com/debrouwere/a46dec73629c71706809#file-passport-js-L44 This looks like the way to go, to me. |
I would also like to express my support for this feature. An absolute necessity for locally hosted instances. |
Supported in a73d9ce |
I have removed all social-auth methods and set "email": true. Then there was no Sign in-button anymore. |
Thanks |
Hi, |
As you wish in 00e2845 |
Thanks, rotating them looks great as well. |
What's the problem storing a sha256sum (or any other hash function we believe is preimage-resistant) of the password? |
@marmistrz The reasoning is simple: You can't steal data we don't have. So when logins are out sourced to GitHub, Twitter, … the only thing an attacker can steal are session tokens. Not more. But please notice how old this issue is. CodiMD supports local logins and stored passwords using scrypt. But if you are interested in contributing, local users still need a lot of work especially when it comes to management. So feel free to have a look at #272 and #314. PRs are welcome :) |
@marmistrz please do not ever store passwords just as a hashed value. This is quite simple to circumvent. Sha256 (and others) are designed to be very fast, so you can also run them in parallel on things like graphics cards. Brute forcing something as short as most passwords will cost you a few hundred bucks on AWS or similar services. bcrypt and scrypt are intentionally designed to be slower. Topic you might want to read up on:
This article here is a good start: https://www.wired.com/2016/06/hacker-lexicon-password-hashing/ |
@ccoenen I thought that the password ought to be salted is so obvious that it needn't be stated :) |
In my experience, it is very dangerous to rely on obviousness in security. I once opened an issue in a password manager, where the passwords were "encrypted" to the email address (which was stored in the same database). Please forgive me, if this came off a little strong. Long story short: why are we even talking about this? This issue has been closed/implemented 18 months ago. With a better solution (scrypt was specifically designed for passwords, and mitigates attacks that would work on sha* hashes). |
There might be some users not using any services we used to do a third-party auth.
So we need a local signin solution, currently we're using passport as the auth middleware.
Then using passport-local to support this will be the best.
The text was updated successfully, but these errors were encountered: