pierrelf.com / grain
Rust implementation of OCI Distribution Spec with granular access control
fork atom

Hash passwords in users.json instead of storing plaintext #1

open opened by pierrelf.com

Problem#

Passwords in users.json are stored and compared in plaintext (auth.rs:40). The authenticate_user function does a direct string comparison: u.password == user.password. If the users file is leaked or accessed by an unauthorized party, all credentials are immediately compromised.

Proposed Solution#

  • Use argon2 or bcrypt to hash passwords at rest
  • On user creation via the admin API, hash the password before writing to users.json
  • On authentication, verify the incoming password against the stored hash
  • Add a migration path: detect plaintext passwords on startup and warn (or auto-hash them)
  • The grainctl CLI should also hash passwords when creating users

Files to modify#

  • src/auth.rs - Replace direct comparison with hash verification
  • src/admin.rs - Hash passwords on user creation
  • src/state.rs - Update User struct if needed
  • src/bin/grainctl.rs - Update CLI user creation
  • Cargo.toml - Add argon2 or bcrypt dependency
sign up or login to add to the discussion
Labels

None yet.

assignee

None yet.

Participants 1
AT URI
at://did:plc:meotu43t6usg4qdwzenk4s2t/sh.tangled.repo.issue/3mfkfvfolvl2e