Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rate limit password hashing operations #4353

Draft
wants to merge 1 commit into
base: develop
Choose a base branch
from
Draft

Rate limit password hashing operations #4353

wants to merge 1 commit into from

Conversation

akshaymankar
Copy link
Member

https://wearezeta.atlassian.net/browse/WPB-11901

Checklist

  • Add a new entry in an appropriate subdirectory of changelog.d
  • Read and follow the PR guidelines

@echoes-hq echoes-hq bot added the echoes: technical-roadmap/security More specific category, to highlight task that tackle security requirements. label Dec 2, 2024
@zebot zebot added the ok-to-test Approved for running tests in CI, overrides not-ok-to-test if both labels exist label Dec 2, 2024
@akshaymankar
Put all password hashing operations in one place
bcb5ad1 
Once they are all in that effect, we can start asking for either the user ID or
the IP address and use that to rate limit.

Changes:
1. Move verifyPassword and verifyPasswordWithStatus to wire-subsystems
2. verifyPasswordWithStatus doesn't ask password to be updated if the current
config says that the password should be hashed with Scrypt.
3. Move PasswordStatus type to wire-subsystems as it is not part of the API.
4. Use Wire.Sem.Random (and hence openssl in prod) to generate salt.
5. Move all password tests from wire-api to wire-subsystems.
6. Use HashPassword effect for password verification everywhere.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
echoes: technical-roadmap/security More specific category, to highlight task that tackle security requirements. ok-to-test Approved for running tests in CI, overrides not-ok-to-test if both labels exist
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@akshaymankar @zebot