Security: Migrate API key hashing to argon2id (#445)#492
Merged
filthyrake merged 2 commits intodevfrom Jan 3, 2026
Merged
Conversation
Replace SHA-256 with argon2id for API key hashing to provide defense-in-depth against brute-force attacks. This addresses Issue #445. Changes: - Add argon2-cffi dependency for memory-hard password hashing - Add hash_version column to track algorithm (1=SHA-256 legacy, 2=argon2id new) - Update worker_auth.py with dual-format verification support - New keys use argon2id automatically - Legacy SHA-256 keys continue to work - Unknown versions fail closed for security - Add authenticate_api_key() shared helper to eliminate code duplication - Fix admin.py reencode endpoints to use prefix-based lookup (required because argon2 hashes are non-deterministic) - Add comprehensive tests for hash versioning Security notes: - argon2id with OWASP-recommended parameters (time_cost=3, memory_cost=64MB) - Timing-safe comparison preserved for legacy SHA-256 verification - InvalidHash exceptions caught and logged without leaking info - Backward compatible - existing workers continue working 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Reliability improvements per Margo's review: - Fix prefix collision: authenticate_api_key now fetches ALL matching prefixes and iterates through candidates (fetch_one -> fetch_all) - Add API key length validation: keys must be >= 8 chars for prefix extraction - Add key_prefix to error logs for better debugging context - Add build dependencies (gcc, libffi-dev) to Dockerfiles for argon2-cffi Migration improvements: - Add deployment sequence documentation - Add post-migration verification queries - Add explicit downgrade check that raises RuntimeError if argon2 keys exist - Document that downgrade is destructive 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Migrates worker API key hashing from SHA-256 to argon2id, addressing the security improvement identified in #445. This provides defense-in-depth against brute-force attacks by using a memory-hard algorithm.
Key Changes
argon2-cffidependency for secure password hashinghash_versioncolumn to support dual-format verification during migrationauthenticate_api_key()helper to eliminate code duplicationSecurity Highlights
Database Migration
Migration 026 adds
hash_versioncolumn and widenskey_hashfrom 64 to 255 chars to accommodate argon2 hashes.Test plan
Closes #445
🤖 Generated with Claude Code