feat: password hashing with argon2

Author: nakrovati

.editorconfig

@@ -5,7 +5,7 @@ charset = utf-8
 end_of_line = lf
 indent_size = 4
 indent_style = tab
-insert_final_newline = false
+insert_final_newline = true
 max_line_length = 120
 tab_width = 4
 # noinspection EditorConfigKeyCorrectness
@@ -20,4 +20,4 @@ indent_size = 2
 indent_style = space
 
 [*.md]
-trim_trailing_whitespace = true
+trim_trailing_whitespace = false

build.gradle.kts

@@ -35,6 +35,7 @@ dependencies {
 	implementation(libs.flyway.core)
 	implementation(libs.flyway.mysql)
 	implementation(libs.hikaricp)
+	implementation(libs.argon2)
 	implementation(libs.mysql.connector.j)
 	implementation(libs.mariadb.java.client)
     implementation(libs.logback.classic)

gradle/libs.versions.toml

@@ -25,6 +25,8 @@ mysql-connector-j = { module = "com.mysql:mysql-connector-j", version = "9.2.0"
 mariadb-java-client = { module = "org.mariadb.jdbc:mariadb-java-client", version = "3.5.4" }
 hikaricp = { module = "com.zaxxer:HikariCP", version = "6.3.0" }
 
+argon2 = { module = "de.mkammerer:argon2-jvm", version = "2.12" }
+
 logback-classic = { module = "ch.qos.logback:logback-classic", version.ref = "logback-version" }
 
 ktor-server-test-host = { module = "io.ktor:ktor-server-test-host", version.ref = "ktor-version" }

src/main/kotlin/org/kotatsu/resources/User.kt

@@ -3,12 +3,13 @@ package org.kotatsu.resources
 import org.kotatsu.database
 import org.kotatsu.model.user.*
 import org.kotatsu.model.users
-import org.kotatsu.util.md5
 import org.kotatsu.util.withRetry
 import org.ktorm.dsl.eq
 import org.ktorm.dsl.insertAndGenerateKey
 import org.ktorm.entity.find
 import org.ktorm.entity.singleOrNull
+import org.kotatsu.util.PasswordHasher
+import org.kotatsu.util.md5
 
 suspend fun getOrCreateUser(request: AuthRequest, allowNewRegister: Boolean): UserInfo? = withRetry {
 	require(request.password.length in 2..24) {
@@ -17,16 +18,38 @@ suspend fun getOrCreateUser(request: AuthRequest, allowNewRegister: Boolean): Us
 	require(request.email.length in 5..320 && '@' in request.email) {
 		"Invalid email address"
 	}
-	val passDigest = request.password.md5()
+
 	val user = database.users.find { (it.email eq request.email) }
+
 	when {
-		user == null && allowNewRegister -> registerUser(request, passDigest)
+		user == null && allowNewRegister -> {
+			val bcryptHash = PasswordHasher.hash(request.password)
+			registerUser(request, bcryptHash)
+		}
 		user == null -> null
-		user.passwordHash == passDigest -> user.toUserInfo()
-		else -> null
+		else -> {
+			val storedHash = user.passwordHash
+
+			when {
+				PasswordHasher.isArgon2Hash(storedHash) -> {
+					if (PasswordHasher.verify(request.password, storedHash)) {
+						user.toUserInfo()
+					} else null
+				}
+				else -> { // MD5 legacy
+					if (storedHash == request.password.md5()) {
+						// Upgrade to bcrypt
+						user.passwordHash = PasswordHasher.hash(request.password)
+						user.flushChanges()
+						user.toUserInfo()
+					} else null
+				}
+			}
+		}
 	}
 }
 
+
 private fun registerUser(request: AuthRequest, passwordDigest: String): UserInfo? {
 	val userId = database.insertAndGenerateKey(UsersTable) {
 		set(it.email, request.email)

src/main/kotlin/org/kotatsu/util/PasswordHashier.kt

@@ -0,0 +1,21 @@
+package org.kotatsu.util
+
+import de.mkammerer.argon2.Argon2
+import de.mkammerer.argon2.Argon2Factory
+
+object PasswordHasher {
+	private val argon2: Argon2 = Argon2Factory.create(Argon2Factory.Argon2Types.ARGON2id)
+
+	private const val ITERATIONS = 3
+	private const val MEMORY_KB = 65536  // 64 MB
+	private const val PARALLELISM = 1
+
+	fun hash(password: String): String =
+		argon2.hash(ITERATIONS, MEMORY_KB, PARALLELISM, password.toCharArray())
+
+	fun verify(password: String, hash: String): Boolean =
+		argon2.verify(hash, password.toCharArray())
+
+	fun isArgon2Hash(hash: String): Boolean =
+		hash.startsWith("\$argon2id\$")
+}