New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support BCrypt password encryption #425
Conversation
I don't consider this for now. |
BCrypt requires Crypt format ( |
It's why I'm talking about a configuration property that will tell if the user want bcrypt or sha. |
I truly understand that this prefix parsing sucks. |
I was not clear I think 😄 here is what I think. @Data
public class BasicAuth {
String username;
String password;
PasswordHash passwordHash;
List<String> groups = new ArrayList<>();
@SuppressWarnings("UnstableApiUsage")
public boolean isValidPassword(String password) {
if (this.passwordHash == PasswordHash.SHA256) {
// See http://www.mindrot.org/projects/jBCrypt/
return BCrypt.checkpw(password, this.password);
} else {
// Default Sha256 format
return this.password.equals(
Hashing.sha256()
.hashString(password, StandardCharsets.UTF_8)
.toString()
);
}
return this.password.equals(
Hashing.sha256()
.hashString(password, StandardCharsets.UTF_8)
.toString()
);
}
public enum PasswordHash {
SHA256,
BCRYPT
}
} What do you think about that ? |
Yes you were clear. Except I thought you wanted to make I'll implement that way. |
|
SHA-256 without salt is considered as breakable.
This pull request adds:
However it still doesn't support SHA-256 with salt and multiple iterations as https://passlib.readthedocs.io/en/stable/lib/passlib.hash.sha256_crypt.html