changed password hash to bcrypt fixes #454

[singhotto]

fixes #454

I included the bcrypt library for password hashing, but the database already contains passwords hashed with the password-hash library. Instead of removing the old library, I've kept it, and now the verification process utilizes both libraries.

[linux-foundation-easycla]

• ✅ login: JamieSlome / name: Jamie Slome (0b19e46, 832274d, d60f9e3, f70d405, bb60c65, db02ec2, 25dbeb7, 5d1d505, 72cfc61, 0d67262, fa2f029, 2c2ad15, 80c49b1, 646cc37, dc6ce86, 3b59292, 23bdd89, 347b656, 2a933e3, 9c32fcd, 195cf8f, dea18e5, b5162fc, 31fe1be, b2b51de, c00b7b7, 0648576, 9952482, 1a6d113, 71167b5, 7f57020, 11af71d, ef491e6, 9f81370, 9175f5d, 4a82e6b, 20c9061, f8f6a72, 37d37ef, b3b5fa8, 5ffdb80, 6186e90, 8187de9, 250cde4, 0858219, 97cb775, aed9e4e, 51c2505, dc887be, 744cec8, d1d76af, 5aa904d, de1a54d, bd4d0bb, 848186e, c3bb9ba, b326e26, 9903517, 08b3b6d, 7ae25ff, 0c7004f, 4cc2da0, 7e8806d)
• ✅ login: renovate[bot] (5813316, c5614ba)
• ✅ login: maoo / name: Maurizio Pillitu (1bbda77, 7e0a54e, b964ca4)
• ❌ - login: @singhotto . The commit (77b2997, 3a38dee) is not authorized under a signed CLA. Please click here to be authorized. For further assistance with EasyCLA, please submit a support request ticket.

[netlify]

✅ Deploy Preview for endearing-brigadeiros-63f9d0 ready!

Name	Link
🔨 Latest commit	77b2997
🔍 Latest deploy log	https://app.netlify.com/sites/endearing-brigadeiros-63f9d0/deploys/65df1b6ef8618800082e459e
😎 Deploy Preview	https://deploy-preview-457--endearing-brigadeiros-63f9d0.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[maoo]

Hi @singhotto , thanks for your PR, and welcome to FINOS!

I did implement the fix on https://github.com/finos/git-proxy/pull/453/files ; would you mind reviewing it and rebasing your PR against the fix-auth branch?

Also, please let me know if you encounter any issues with EasyCLA (comment above).

[singhotto]

Can bcrypt verify already hashed passwords (existing users in db) by password-hash library?

Not sure I understand your question, sorry; we started looking at bcrypt mainly because password-hash is not maintained, and we don't want to bring security issues from unmaintained third-party libraries in our codebase; for this reason, we want to get rid of it entirely from the codebase.

That said, I like the way you use bcrypt in your PR, and I think it's cleaner than the approach I used, which is why I suggested you adding to my PR.

why do I have to do the easyCLA?

Long story short, to ensure that contributors are able to contribute their IP to us, and they're aware of it; this also leads to less legal risks for contributors. For the longer story, I suggest you reading https://osr.finos.org/docs/bok/artifacts/clas-and-dcos ; hope this answers your question.

[maoo]

@singhotto - I just realised that I edited your comment, instead of replying. Apologies for that, I didn't realise it!

I've refined the fix-auth branch based on your feedback.

You raise a fair point about password already being hashed with password-hash, which cannot be verified with bcrypt; @JamieSlome @coopernetes - is this going to be a problem in your environments? Or can we accept this breaking change?

I appreciate a lot your help on this; would you be interested to continue contributing to this project? If that's the case, I'd be happy to jump on a quick call, figure our the EasyCLA setup and maybe discuss few other activities we're planning to tackle as a team? Feel free to ping me on maoo@finos.org , eager to keep this collaboration going!

[JamieSlome]

Closing as addressed in #335 👍

Appreciate your support @singhotto and look forward to more of your support on the project ❤️