diff options
| author | BlackDex <[email protected]> | 2023-02-28 23:09:51 +0100 |
|---|---|---|
| committer | BlackDex <[email protected]> | 2023-03-04 16:15:30 +0100 |
| commit | de157b26543172fe48aa44af578e229b1db65475 (patch) | |
| tree | 0344a62b1cee699842c02195840aaebed966f51f /src/config.rs | |
| parent | 337cbfaf22ee28316ea09e859be0527416fe7da5 (diff) | |
| download | vaultwarden-de157b26543172fe48aa44af578e229b1db65475.tar.gz vaultwarden-de157b26543172fe48aa44af578e229b1db65475.zip | |
Admin token Argon2 hashing support
Added support for Argon2 hashing support for the `ADMIN_TOKEN` instead
of only supporting a plain text string.
The hash must be a PHC string which can be generated via the `argon2`
CLI **or** via the also built-in hash command in Vaultwarden.
You can simply run `vaultwarden hash` to generate a hash based upon a
password the user provides them self.
Added a warning during startup and within the admin settings panel is
the `ADMIN_TOKEN` is not an Argon2 hash.
Within the admin environment a user can ignore that warning and it will
not be shown for at least 30 days. After that the warning will appear
again unless the `ADMIN_TOKEN` has be converted to an Argon2 hash.
I have also tested this on my RaspberryPi 2b and there the `Bitwarden`
preset takes almost 4.5 seconds to generate/verify the Argon2 hash.
Using the `OWASP` preset it is below 1 second, which I think should be
fine for low-graded hardware. If it is needed people could use lower
memory settings, but in those cases I even doubt Vaultwarden it self
would run. They can always use the `argon2` CLI and generate a faster hash.
Diffstat (limited to 'src/config.rs')
| -rw-r--r-- | src/config.rs | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/src/config.rs b/src/config.rs index f3736a1f..6ed19a79 100644 --- a/src/config.rs +++ b/src/config.rs @@ -19,7 +19,7 @@ static CONFIG_FILE: Lazy<String> = Lazy::new(|| { pub static CONFIG: Lazy<Config> = Lazy::new(|| { Config::load().unwrap_or_else(|e| { - println!("Error loading config:\n\t{e:?}\n"); + println!("Error loading config:\n {e:?}\n"); exit(12) }) }); @@ -872,6 +872,23 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> { err!("`EVENT_CLEANUP_SCHEDULE` is not a valid cron expression") } + if !cfg.disable_admin_token { + match cfg.admin_token.as_ref() { + Some(t) if t.starts_with("$argon2") => { + if let Err(e) = argon2::password_hash::PasswordHash::new(t) { + err!(format!("The configured Argon2 PHC in `ADMIN_TOKEN` is invalid: '{e}'")) + } + } + Some(_) => { + println!( + "[NOTICE] You are using a plain text `ADMIN_TOKEN` which is insecure.\n\ + Please generate a secure Argon2 PHC string by using `vaultwarden hash` or `argon2`.\n\ + See: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token\n" + ); + } + _ => {} + } + } Ok(()) } |