fix: use sufficient computational effort for password hash

[jsjoeio]

This PR modifies the underlying algorithm used in the hash function to use sufficient computational effort.

Changes

• refactor to use argon2 instead of sha256
• add unit tests for hash and helper functions

Screenshots

Using a hashed-password (sha256)

Screen.Recording.2021-06-03.at.11.37.25.AM.mov

Using a regular password (not hashed)

Screen.Recording.2021-06-03.at.11.40.37.AM.mov

Using a hashed-password (argon2)

Screen.Recording.2021-06-04.at.1.46.16.PM.mov

Checklist

• tested locally
• added new dependencies
• added tests
• updated CHANGELOG.md
• ensure we still support hashed_password in the config which is hashed with sha256

Fixes #3381

Follow-up: #3432

Notes

Here is how authentication works in code-server:

Link to Excalidraw

[codecov]

Codecov Report

Merging #3422 (0fbeb93) into main (d8c3ba6) will increase coverage by 1.32%.
The diff coverage is 76.78%.

❗ Current head 0fbeb93 differs from pull request most recent head 1e55a64. Consider uploading reports for the commit 1e55a64 to get more accurate results

@@            Coverage Diff             @@
##             main    #3422      +/-   ##
==========================================
+ Coverage   59.21%   60.53%   +1.32%     
==========================================
  Files          35       35              
  Lines        1709     1784      +75     
  Branches      379      403      +24     
==========================================
+ Hits         1012     1080      +68     
- Misses        559      562       +3     
- Partials      138      142       +4     

Impacted Files	Coverage Δ
src/node/routes/vscode.ts	29.78% <0.00%> (-0.33%)	⬇️
src/node/routes/login.ts	42.59% <20.00%> (-2.70%)	⬇️
src/node/routes/domainProxy.ts	62.50% <40.00%> (-1.61%)	⬇️
src/node/routes/index.ts	77.14% <50.00%> (ø)
src/node/routes/pathProxy.ts	67.85% <50.00%> (ø)
src/node/routes/static.ts	61.36% <66.66%> (+0.89%)	⬆️
src/node/http.ts	36.06% <76.92%> (+3.27%)	⬆️
src/node/util.ts	69.94% <91.30%> (+14.70%)	⬆️
src/node/cli.ts	79.83% <100.00%> (+0.25%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d8c3ba6...1e55a64. Read the comment docs.

[ammario]

bcrypt!

[jsjoeio]

@oxy do you mind taking a look at this today or tomorrow?

[oxy]

argon2 is a stronger algorithm but bcrypt is also alright - though I'm still a little confused about how you're handling authentication, what hashedPassword is used for with the cookie, and how/if we compare against bcrypt passwords in the auth route itself.

[jsjoeio]

Notes:

1. merge in PR (try argon2)
2. write tests for router (testing one level up from hashing) - make an issue
3. add token exchange -> make an issue
4. rewrite other parts if needed? -> add to 3

[jsjoeio]

@oxy do you mind taking a look at the security warnings/errors flagged by CodeQL? I know we plan to fix most of these in a follow-up PR but want to make sure my code isn't introducing anything you would flag: https://github.com/cdr/code-server/pull/3422/checks?check_run_id=2749748946

[jsjoeio]

Removed the docs as requested! Ready for another review

[oxy]

All good! Thanks for sticking through this ❤️

[jsjoeio]

Thanks for sticking through this

Thanks for sharing your security knowledge with me! I feel like I'm slowing becoming more mindful of it thanks to you 😂