Fixed #30472 -- Added Argon2id support and made it the default variety of Argon2PasswordHasher.

[fengsi]

No description provided.

[ngnpope]

Please revert all of the unrelated changes - string formatting, quotes, etc. It makes it hard to review the changes intended to address the ticket.

[fengsi]

@pope1ni sure, reverted PEP 8 stuff :)

[felixxm]

@fengsi Thanks for this patch.

Changes require dropping support for argon2-cffi < 16.3.0 please add a release notes, docs and setup.py, also auth_tests.test_hashers.TestUtilsHashPassArgon2.test_argon2_upgrade is falling for 18.2.0 >= argon2-cffi >= 16.3.0. Moreover a lot of tests in auth_tests.test_hashers is falling when argon2-cffi is not installed it is probably related with moving _load_library() to the _init__().

Please revert all unrelated changes e.g. mask_hash().

[apollo13]

This PR has many unrelated changes which is a nogo for security related changes. Also I am not sure if exposing the variety makes sense. The less options the better. A less minimal approach would be master...apollo13:argon

Also we should not rely on the argon defaults as tempting as it would be, but it would break our testsuites etc if argon ever updates those (+ causes rehashing on all sites using it). Better stick to the "known" Django updates can cause a rehash…

[fengsi]

@apollo13 in general I agree that we could probably go for your approach (didn't see it before filing the ticket and also creating the PR). However, I'd highly recommend also updating the must_update() logic in your change set to perform a force rehash for any password not using Argon2id (I had mine here). Reason being if we already hard-coded a different algorithm, it's the same as if we change the default params, such as memory_cost and parallelism, which would cause rehashing as well.

[apollo13]

Ah yes, missed the rehashing on the first pass.

[felixxm]

Superseded by #13066.