Merge pull request #118 from CodeForPhilly/feat/login-migration-phase-a

feat(auth): three-algorithm password verifier + rehash infrastructure

Author: themightychris

apps/api/package.json

@@ -29,6 +29,7 @@
     "@fastify/static": "^9.1.3",
     "@fastify/swagger": "^9.7.0",
     "@fastify/swagger-ui": "^5.2.6",
+    "argon2": "^0.44.0",
     "bcryptjs": "^3.0.3",
     "better-sqlite3": "^12.10.0",
     "fastify": "^5.8.5",

apps/api/src/auth/argon2-params.ts

@@ -0,0 +1,20 @@
+/**
+ * Argon2id parameter source-of-truth.
+ *
+ * Bumping these values is a deliberate spec event per
+ * specs/behaviors/password-hash-rotation.md — every subsequent
+ * successful login rehashes credentials to the new floor, and the
+ * corpus drifts naturally without retroactive backfill.
+ *
+ * Starting values produce ~50 ms hashes on the production pod's CPU
+ * profile (Linode amd64). Within budget for POST /api/auth/login
+ * latency.
+ */
+import argon2 from 'argon2';
+
+export const ARGON2_PARAMS = {
+  type: argon2.argon2id,
+  memoryCost: 19_456, // 19 MiB
+  timeCost: 2, // iterations
+  parallelism: 1,
+} as const;

apps/api/src/auth/legacy-password.ts

@@ -1,26 +1,139 @@
 /**
- * Legacy laddr password verification.
+ * Legacy password verification + rehash-on-login.
  *
- * Dispatches by hash format prefix so we can support whatever the laddr import
- * lands on. v1 supports bcrypt (`$2a$`, `$2b$`, `$2y$`). Other formats throw
- * UnknownHashFormatError so callers can surface a uniform "credentials invalid"
- * response (rather than leaking algorithm details) while still logging the
- * mismatch internally.
+ * Per specs/behaviors/password-hash-rotation.md. Dispatches by hash
+ * format (SHA-1 unsalted, bcrypt, or argon2id), verifies in constant
+ * time, and reports `needsRehash` so callers can rotate the
+ * credential to argon2id on successful login. The corpus drifts
+ * toward argon2id without forcing a password reset.
+ *
+ * Failure modes — wrong password, missing credential, unknown
+ * format, internal error — collapse to `{ valid: false }` so callers
+ * can return a uniform `invalid_credentials` response without
+ * leaking algorithm or user-existence signal.
  */
+import { createHash, timingSafeEqual } from 'node:crypto';
+
+import argon2 from 'argon2';
 import bcrypt from 'bcryptjs';
 
-export class UnknownHashFormatError extends Error {
-  constructor(prefix: string) {
-    super(`Unknown legacy password hash format: ${prefix}`);
-    this.name = 'UnknownHashFormatError';
+import { ARGON2_PARAMS } from './argon2-params.js';
+
+const BCRYPT_PREFIXES = ['$2a$', '$2b$', '$2y$'];
+const ARGON2ID_PREFIX = '$argon2id$';
+const SHA1_HEX_RE = /^[0-9a-f]{40}$/;
+
+export type VerifyResult =
+  | { valid: true; needsRehash: boolean }
+  | { valid: false };
+
+/**
+ * Verify a plaintext password against a stored hash.
+ *
+ * Returns `{ valid: true, needsRehash }` on a successful match; the
+ * caller is responsible for rotating to argon2id when `needsRehash`
+ * is true.
+ *
+ * Any failure path — wrong password, unrecognized format, internal
+ * error during verify — returns `{ valid: false }` without leaking
+ * the cause. Internal errors are not re-thrown.
+ */
+export async function verifyLegacyPassword(
+  password: string,
+  hash: string,
+): Promise<VerifyResult> {
+  try {
+    if (hash.startsWith(ARGON2ID_PREFIX)) {
+      const ok = await argon2.verify(hash, password);
+      if (!ok) return { valid: false };
+      // Argon2's encoded format embeds the params; if they don't match
+      // the current floor, the credential is correct but stale —
+      // rotate.
+      return { valid: true, needsRehash: argonNeedsRehash(hash) };
+    }
+
+    if (BCRYPT_PREFIXES.some((p) => hash.startsWith(p))) {
+      const ok = await bcrypt.compare(password, hash);
+      if (!ok) return { valid: false };
+      // Spec unifies on argon2id; every bcrypt source rotates on login.
+      // (Laddr is SHA-1, not bcrypt; the bcrypt branch is defensive
+      // fallback for any future bcrypt-imported credentials.)
+      return { valid: true, needsRehash: true };
+    }
+
+    if (SHA1_HEX_RE.test(hash)) {
+      const computedHex = createHash('sha1').update(password).digest('hex');
+      // Length-check before timingSafeEqual — equal lengths are
+      // guaranteed by the regex on `hash` plus sha1's fixed 40-char
+      // output, but defense in depth: timingSafeEqual throws
+      // synchronously on length mismatch, which would itself be a
+      // timing oracle if the throw vs. compare paths differ.
+      if (computedHex.length !== hash.length) return { valid: false };
+      const ok = timingSafeEqual(
+        Buffer.from(computedHex, 'hex'),
+        Buffer.from(hash, 'hex'),
+      );
+      if (!ok) return { valid: false };
+      return { valid: true, needsRehash: true };
+    }
+
+    // Unknown format. No throw — uniform invalid response.
+    return { valid: false };
+  } catch {
+    // Library error, malformed hash that slipped past the regex,
+    // anything else — collapse to invalid. Never leak via different
+    // outcomes.
+    return { valid: false };
   }
 }
 
-const BCRYPT_PREFIXES = ['$2a$', '$2b$', '$2y$'];
+/**
+ * Hash a plaintext password to argon2id with current params. Used
+ * after a successful verify when `needsRehash` is true, and by the
+ * password-reset confirm flow (phase C).
+ */
+export async function rehashPassword(password: string): Promise<string> {
+  return argon2.hash(password, ARGON2_PARAMS);
+}
+
+/**
+ * Returns true when the supplied argon2id-encoded hash uses
+ * parameters different from the current floor (`ARGON2_PARAMS`).
+ */
+function argonNeedsRehash(hash: string): boolean {
+  try {
+    return argon2.needsRehash(hash, ARGON2_PARAMS);
+  } catch {
+    // If parsing the encoded hash fails, conservatively rotate.
+    return true;
+  }
+}
 
-export async function verifyLaddrPassword(password: string, hash: string): Promise<boolean> {
-  if (BCRYPT_PREFIXES.some((p) => hash.startsWith(p))) {
-    return bcrypt.compare(password, hash);
+/**
+ * Pre-computed argon2id hash of a fixed sentinel plaintext. Computed
+ * lazily on first `dummyVerify` so we don't block module load.
+ */
+let dummyHashPromise: Promise<string> | null = null;
+function ensureDummyHash(): Promise<string> {
+  if (!dummyHashPromise) {
+    dummyHashPromise = rehashPassword('this-string-is-never-a-real-password');
+  }
+  return dummyHashPromise;
+}
+
+/**
+ * Run an argon2 verify against a fixed sentinel hash. Always returns
+ * `{ valid: false }`. Callers invoke this when the user or credential
+ * lookup misses so the overall response timing matches the success
+ * path — per specs/behaviors/password-hash-rotation.md
+ * § anti-enumeration timing.
+ */
+export async function dummyVerify(): Promise<VerifyResult> {
+  try {
+    const dummy = await ensureDummyHash();
+    await argon2.verify(dummy, 'this-string-also-never-a-real-password');
+  } catch {
+    // Outcome doesn't matter — purpose is timing, not correctness.
   }
-  throw new UnknownHashFormatError(hash.slice(0, Math.min(4, hash.length)));
+  return { valid: false };
 }

apps/api/src/routes/account-claim.ts

@@ -266,14 +266,10 @@ export async function accountClaimRoutes(fastify: FastifyInstance): Promise<void
 
       const outcome = result.value;
       if (!outcome.ok) {
-        if (outcome.reason === 'unknown_format') {
-          // Internal log — uniform user-facing response per anti-enumeration.
-          request.log.warn(
-            { slug, reason: 'unknown_format' },
-            'legacy password hash format unknown',
-          );
-        }
-        // Uniform 401 for any failure
+        // Uniform 401 for any failure — verifier collapses
+        // wrong-password / unknown-format / internal-error into a
+        // single `wrong_password` reason per
+        // specs/behaviors/password-hash-rotation.md.
         throw new UnauthenticatedError(
           'Invalid credentials',
           'claim_credentials_invalid',

apps/api/src/services/account-claim.ts

@@ -38,7 +38,7 @@ import type {
   ClaimPendingClaims,
   GhIdentitySnapshot,
 } from '../auth/jwt.js';
-import { verifyLaddrPassword, UnknownHashFormatError } from '../auth/legacy-password.js';
+import { verifyLegacyPassword } from '../auth/legacy-password.js';
 import { GitHubAccountService } from './github-account.js';
 import type { ResolvedGitHubIdentity } from '../auth/github-client.js';
 
@@ -253,7 +253,7 @@ export class AccountClaimService {
     password: string,
   ): Promise<
     | { ok: true; result: AutoClaimResult }
-    | { ok: false; code: 'invalid'; reason: 'no_slug' | 'already_claimed' | 'no_credential' | 'wrong_password' | 'unknown_format' }
+    | { ok: false; code: 'invalid'; reason: 'no_slug' | 'already_claimed' | 'no_credential' | 'wrong_password' }
   > {
     const personId = this.#state.personIdBySlug.get(slug.toLowerCase());
     if (!personId) {
@@ -272,16 +272,13 @@ export class AccountClaimService {
       return { ok: false, code: 'invalid', reason: 'no_credential' };
     }
 
-    let matched: boolean;
-    try {
-      matched = await verifyLaddrPassword(password, cred.passwordHash);
-    } catch (err) {
-      if (err instanceof UnknownHashFormatError) {
-        return { ok: false, code: 'invalid', reason: 'unknown_format' };
-      }
-      throw err;
-    }
-    if (!matched) {
+    // verifyLegacyPassword collapses wrong-password, unknown-format,
+    // and internal errors into a uniform `{ valid: false }` per
+    // specs/behaviors/password-hash-rotation.md — the byPassword path
+    // surfaces this as `wrong_password` and the route translates to
+    // the uniform `claim_credentials_invalid` user-facing response.
+    const verifyResult = await verifyLegacyPassword(password, cred.passwordHash);
+    if (!verifyResult.valid) {
       return { ok: false, code: 'invalid', reason: 'wrong_password' };
     }
 

apps/api/tests/account-claim.test.ts

@@ -371,6 +371,7 @@ describe('POST /api/account-claim/by-password', () => {
   let app: FastifyInstance;
   const candidateId = '01951a3c-0000-7000-8000-0000ddddddd1';
   const linkedId = '01951a3c-0000-7000-8000-0000ddddddd2';
+  const sha1CandidateId = '01951a3c-0000-7000-8000-0000ddddddd3';
   const correctPassword = 'hunter2-correct';
 
   beforeAll(async () => {
@@ -389,6 +390,15 @@ describe('POST /api/account-claim/by-password', () => {
     });
     await seedPrivateProfile(privateStore.path, linkedId, 'linked@example.com');
     await seedLegacyPassword(privateStore.path, linkedId, hash);
+    // Legacy-laddr candidate with an unsalted SHA-1 hash (the actual
+    // production format per emergence-skeleton User.class.php:33). The
+    // new verifier accepts this path; pre-rewrite the verifier only
+    // knew bcrypt.
+    await seedPerson(dataRepo.path, 'sha1-user', sha1CandidateId);
+    await seedPrivateProfile(privateStore.path, sha1CandidateId, 'sha1-user@example.com');
+    const { createHash } = await import('node:crypto');
+    const sha1Hash = createHash('sha1').update(correctPassword).digest('hex');
+    await seedLegacyPassword(privateStore.path, sha1CandidateId, sha1Hash);
 
     app = await buildTestApp(dataRepo.path, privateStore.path);
   }, 60_000);
@@ -417,6 +427,27 @@ describe('POST /api/account-claim/by-password', () => {
     expect(cred).toBeNull();
   });
 
+  it('claims on correct password against a SHA-1 hash (legacy laddr format)', async () => {
+    const token = await mintClaim('3010', 'gh-sha1-user', ['gh-sha1-fresh@example.com'], []);
+    const res = await app.inject({
+      method: 'POST',
+      url: '/api/account-claim/by-password',
+      remoteAddress: nextTestIp(),
+      cookies: { cfp_claim: token },
+      payload: { slug: 'sha1-user', password: correctPassword },
+    });
+    expect(res.statusCode).toBe(200);
+
+    const person = app.inMemoryState.people.get(sha1CandidateId);
+    expect(person?.githubUserId).toBe(3010);
+
+    // Credential deleted on successful claim (per byPassword semantics —
+    // the claim path still removes the credential since the user is now
+    // GitHub-linked. Rehash-on-keep is a phase-B concern.)
+    const cred = await app.store.private.getLegacyPassword(sha1CandidateId);
+    expect(cred).toBeNull();
+  });
+
   it('returns uniform 401 claim_credentials_invalid for unknown slug', async () => {
     const token = await mintClaim('3002', 'gh-nothing-user', ['none@example.com'], []);
     const res = await app.inject({