-
-
Notifications
You must be signed in to change notification settings - Fork 964
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: password migration hook #3978
Conversation
4182bec
to
bbadd81
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #3978 +/- ##
==========================================
+ Coverage 78.21% 78.23% +0.02%
==========================================
Files 363 365 +2
Lines 25516 25586 +70
==========================================
+ Hits 19958 20018 +60
- Misses 4034 4039 +5
- Partials 1524 1529 +5 ☔ View full report in Codecov by Sentry. |
e1ebd30
to
6c8f8a1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code looks very good, I just have some improvement suggestions for the test.
dec := json.NewDecoder(io.LimitReader(resp.Body, 1024)) // limit the response body to 1KB | ||
var response PasswordMigrationResponse | ||
if err := dec.Decode(&response); err != nil || response.Status != "password_match" { | ||
return errors.WithStack(schema.NewInvalidCredentialsError()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This probably needs some tracing or something, because it will be difficult to debug this hook otherwise
if err := hash.Compare(r.Context(), []byte(p.Password), []byte(o.HashedPassword)); err != nil { | ||
return nil, s.handleLoginError(w, r, f, &p, errors.WithStack(schema.NewInvalidCredentialsError())) | ||
} | ||
if o.ShouldUsePasswordMigrationHook() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Who sets this to false once this is executed successfully? Is it s.migratePasswordHash
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like it is
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, if the password hash is not empty, this returns false.
This PR adds a password migration hook to easily migrate passwords for which we do not have the hash.
password
with a config of{"use_password_migration_hook": true}
.password_migration
web hook if all of these are true:{"use_password_migration_hook": true}
password_migration
hook is configuredpassword_migration
hook, the HTTP status code will be inspected:{"status": "password_match"}
. The password credential config will be replaced with the hash of the actual password.Related issue(s)
Checklist
introduces a new feature.
contributing code guidelines.
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got the approval (please contact
security@ory.sh) from the maintainers to push
the changes.
works.
Further Comments