default settings

[hexkey]

Hello,

Seems it's not possible to change default argon2 settings, at least I didn't figure out the way to set them via typical app.config:

# example code (custom flask script)

from flask_argon2 import Argon2
from flask import Flask
app = Flask(__name__)

# example trying to change only memory cost value
app.config['ARGON2_MEMORY_COST'] = 131072
app.config['DEFAULT_MEMORY_COST'] = 131072
crypt_argon2 = Argon2(app)

looks like the Argon2 module is taking pre-set default values from argon2 module (password_hasher.py), and ignores any values passed in via app.config. And unless changing the argon2 module code, I can't find other way to set custom values.

# argon2/password_hasher.py
from .profiles import RFC_9106_LOW_MEMORY
DEFAULT_RANDOM_SALT_LENGTH = RFC_9106_LOW_MEMORY.salt_len
DEFAULT_HASH_LENGTH = RFC_9106_LOW_MEMORY.hash_len
DEFAULT_TIME_COST = RFC_9106_LOW_MEMORY.time_cost
DEFAULT_MEMORY_COST = RFC_9106_LOW_MEMORY.memory_cost
DEFAULT_PARALLELISM = RFC_9106_LOW_MEMORY.parallelism

Values passed to argon2 hash function:

# argon2/profiles.py
# SECOND RECOMMENDED option per RFC 9106.
RFC_9106_LOW_MEMORY = Parameters(
    type=Type.ID,
    version=19,
    salt_len=16,
    hash_len=32,
    time_cost=3,
    memory_cost=65536,  # 64 MiB
    parallelism=4,
)

Is this intended, or I am doing something wrong?

[red-coracle]

Good catch. The issue is that the __init__ of Argon2 doesn't call init_app, so the app-level configuration isn't applied. I have a patch that should fix it and will upload a new release once I finish testing.

[hexkey]

Thank you, my quick-fix was to edit the lib directly and set params as needed, but it's 'dirty' fix, and setting this via env variables would be much better.