*.ex diff=elixir
*.exs diff=elixir
-# Most of js/css files included in the repo are minified bundles,
-# and we don't want to search/diff those as text files.
-*.js binary
-*.js.map binary
-*.css binary
-
*.css diff=css
- Prometheus metrics exporting from `/api/v1/akkoma/metrics`
- Ability to alter http pool size
- Translation of statuses via ArgosTranslate
+- Argon2 password hashing
+- Ability to "verify" links in profile fields via rel=me
+- Mix tasks to dump/load config to/from json for bulk editing
### Removed
- Non-finch HTTP adapters
- Legacy redirect from /api/pleroma/admin to /api/v1/pleroma/admin
- Legacy redirects from /api/pleroma to /api/v1/pleroma
+- :crypt dependency
### Changed
- Return HTTP error 413 when uploading an avatar or banner that's above the configured upload limit instead of a 500.
```sh
mix pleroma.config [--force] reset
```
+
+## Dumping specific configuration values to JSON
+
+If you want to bulk-modify configuration values (for example, for MRF modifications),
+it may be easier to dump the values to JSON and then modify them in a text editor.
+
+=== "OTP"
+
+ ```sh
+ ./bin/pleroma_ctl config dump_to_file group key path
+ # For example, to dump the MRF simple configuration:
+ ./bin/pleroma_ctl config dump_to_file pleroma mrf_simple /tmp/mrf_simple.json
+ ```
+
+=== "From Source"
+
+ ```sh
+ mix pleroma.config dump_to_file group key path
+ # For example, to dump the MRF simple configuration:
+ mix pleroma.config dump_to_file pleroma mrf_simple /tmp/mrf_simple.json
+ ```
+
+## Loading specific configuration values from JSON
+
+**Note:** This will overwrite any existing value in the database, and can
+cause crashes if you do not have exactly the correct formatting.
+
+Once you have modified the JSON file, you can load it back into the database.
+
+=== "OTP"
+
+ ```sh
+ ./bin/pleroma_ctl config load_from_file path
+ # For example, to load the MRF simple configuration:
+ ./bin/pleroma_ctl config load_from_file /tmp/mrf_simple.json
+ ```
+
+=== "From Source"
+
+ ```sh
+ mix pleroma.config load_from_file path
+ # For example, to load the MRF simple configuration:
+ mix pleroma.config load_from_file /tmp/mrf_simple.json
+ ```
+
+**NOTE** an instance reboot is needed for many changes to take effect,
+you may want to visit `/api/v1/pleroma/admin/restart` on your instance
+to soft-restart the instance.
You can still install frontends that are not configured, see below.
-## Example installations for a known frontend
+## Example installations for a known frontend (Stable-Version)
For a frontend configured under the `available` key, it's enough to install it by name.
=== "OTP"
```sh
- ./bin/pleroma_ctl frontend install pleroma-fe
+ ./bin/pleroma_ctl frontend install pleroma-fe --ref stable
```
=== "From Source"
```sh
- mix pleroma.frontend install pleroma-fe
+ mix pleroma.frontend install pleroma-fe --ref stable
```
This will download the latest build for the pre-configured `ref` and install it. It can then be configured as the one of the served frontends in the config file (see `primary` or `admin`).
# Updating your instance
-You should **always check the [release notes/changelog](https://akkoma.dev/AkkomaGang/akkoma/src/branch/develop/CHANGELOG.md)** in case there are config deprecations, special update steps, etc.
+You should **always check the [release notes/changelog](https://akkoma.dev/AkkomaGang/akkoma/src/branch/stable/CHANGELOG.md)** in case there are config deprecations, special update steps, etc.
Besides that, doing the following is generally enough:
## Switch to the akkoma user
Run as the `akkoma` user:
```sh
-# Pull in new changes
-git pull
+# fetch changes
+git fetch
+# check out the latest tag
+git checkout $(git tag -l | grep -v 'rc[0-9]*$' | sort -V | tail -n 1)
# Run with production configuration
export MIX_ENV=prod
# Run database migrations
mix ecto.migrate
-# Update frontend(s). See Frontend Configration doc for more information.
+# Update Pleroma-FE frontend to latest stable. For other Frontends see Frontend Configration doc for more information.
mix pleroma.frontend install pleroma-fe --ref stable
# Start akkoma (replace with your system service manager's equivalent if different)
**Note**: To execute a single command as the Akkoma system user, use `doas -u akkoma command`. You can also switch to a shell by using `doas -su akkoma`. If you don’t have and want `doas` on your system, you can use `su` as root user (UID 0) for a single command by using `su -l akkoma -s $SHELL -c 'command'` and `su -l akkoma -s $SHELL` for starting a shell.
-* Git clone the AkkomaBE repository and make the Akkoma user the owner of the directory:
+* Git clone the AkkomaBE repository from stable-branch and make the Akkoma user the owner of the directory:
```shell
doas mkdir -p /opt/akkoma
doas chown -R akkoma:akkoma /opt/akkoma
-doas -u akkoma git clone https://akkoma.dev/AkkomaGang/akkoma.git /opt/akkoma
+doas -u akkoma git clone https://akkoma.dev/AkkomaGang/akkoma.git -b stable /opt/akkoma
```
* Change to the new directory:
* This may take some time, because parts of akkoma get compiled first.
* After that it will ask you a few questions about your instance and generates a configuration file in `config/generated_config.exs`.
-* Check the configuration and if all looks right, rename it, so Akkoma will load it (`prod.secret.exs` for productive instance, `dev.secret.exs` for development instances):
+* Check the configuration and if all looks right, rename it, so Akkoma will load it (`prod.secret.exs` for productive instances):
```shell
doas -u akkoma mv config/{generated_config.exs,prod.secret.exs}
**Note**: To execute a single command as the Akkoma system user, use `sudo -Hu akkoma command`. You can also switch to a shell by using `sudo -Hu akkoma $SHELL`. If you don’t have and want `sudo` on your system, you can use `su` as root user (UID 0) for a single command by using `su -l akkoma -s $SHELL -c 'command'` and `su -l akkoma -s $SHELL` for starting a shell.
-* Git clone the AkkomaBE repository and make the Akkoma user the owner of the directory:
+* Git clone the AkkomaBE repository from stable-branch and make the Akkoma user the owner of the directory:
```shell
sudo mkdir -p /opt/akkoma
sudo chown -R akkoma:akkoma /opt/akkoma
-sudo -Hu akkoma git clone https://akkoma.dev/AkkomaGang/akkoma.git /opt/akkoma
+sudo -Hu akkoma git clone https://akkoma.dev/AkkomaGang/akkoma.git -b stable /opt/akkoma
```
* Change to the new directory:
* This may take some time, because parts of akkoma get compiled first.
* After that it will ask you a few questions about your instance and generates a configuration file in `config/generated_config.exs`.
-* Check the configuration and if all looks right, rename it, so Akkoma will load it (`prod.secret.exs` for productive instance, `dev.secret.exs` for development instances):
+* Check the configuration and if all looks right, rename it, so Akkoma will load it (`prod.secret.exs` for productive instances):
```shell
sudo -Hu akkoma mv config/{generated_config.exs,prod.secret.exs}
**Note**: To execute a single command as the Akkoma system user, use `sudo -Hu akkoma command`. You can also switch to a shell by using `sudo -Hu akkoma $SHELL`. If you don’t have and want `sudo` on your system, you can use `su` as root user (UID 0) for a single command by using `su -l akkoma -s $SHELL -c 'command'` and `su -l akkoma -s $SHELL` for starting a shell.
-* Git clone the AkkomaBE repository and make the Akkoma user the owner of the directory:
+* Git clone the AkkomaBE repository from stable-branch and make the Akkoma user the owner of the directory:
```shell
sudo mkdir -p /opt/akkoma
sudo chown -R akkoma:akkoma /opt/akkoma
-sudo -Hu akkoma git clone https://akkoma.dev/AkkomaGang/akkoma.git /opt/akkoma
+sudo -Hu akkoma git clone https://akkoma.dev/AkkomaGang/akkoma.git -b stable /opt/akkoma
```
* Change to the new directory:
* This may take some time, because parts of akkoma get compiled first.
* After that it will ask you a few questions about your instance and generates a configuration file in `config/generated_config.exs`.
-* Check the configuration and if all looks right, rename it, so Akkoma will load it (`prod.secret.exs` for productive instance, `dev.secret.exs` for development instances):
+* Check the configuration and if all looks right, rename it, so Akkoma will load it (`prod.secret.exs` for productive instances):
```shell
sudo -Hu akkoma mv config/{generated_config.exs,prod.secret.exs}
* Enable and initialize Postgres:
```shell
-sudo systemctl enable postgresql.service
sudo postgresql-setup --initdb --unit postgresql
# Allow password auth for postgres
sudo sed -E -i 's|(host +all +all +127.0.0.1/32 +)ident|\1md5|' /var/lib/pgsql/data/pg_hba.conf
-sudo systemctl start postgresql.service
+sudo systemctl enable --now postgresql.service
```
### Install Elixir and Erlang
* Install ImageMagick and ExifTool for image manipulation:
```shell
-sudo dnf install Imagemagick perl-Image-ExifTool
+sudo dnf install ImageMagick perl-Image-ExifTool
```
**Note**: To execute a single command as the Akkoma system user, use `sudo -Hu akkoma command`. You can also switch to a shell by using `sudo -Hu akkoma $SHELL`. If you don’t have and want `sudo` on your system, you can use `su` as root user (UID 0) for a single command by using `su -l akkoma -s $SHELL -c 'command'` and `su -l akkoma -s $SHELL` for starting a shell.
-* Git clone the AkkomaBE repository and make the Akkoma user the owner of the directory:
+* Git clone the AkkomaBE repository from stable-branch and make the Akkoma user the owner of the directory:
```shell
sudo mkdir -p /opt/akkoma
sudo chown -R akkoma:akkoma /opt/akkoma
-sudo -Hu akkoma git clone https://akkoma.dev/AkkomaGang/akkoma.git /opt/akkoma
+sudo -Hu akkoma git clone https://akkoma.dev/AkkomaGang/akkoma.git -b stable /opt/akkoma
```
* Change to the new directory:
* This may take some time, because parts of akkoma get compiled first.
* After that it will ask you a few questions about your instance and generates a configuration file in `config/generated_config.exs`.
-* Check the configuration and if all looks right, rename it, so Akkoma will load it (`prod.secret.exs` for productive instance, `dev.secret.exs` for development instances):
+* Check the configuration and if all looks right, rename it, so Akkoma will load it (`prod.secret.exs` for productive instances):
```shell
sudo -Hu akkoma mv config/{generated_config.exs,prod.secret.exs}
```shell
cd ~
-git clone https://akkoma.dev/AkkomaGang/akkoma.git
+git clone https://akkoma.dev/AkkomaGang/akkoma.git -b stable
```
* Change to the new directory:
https://akkoma-updates.s3-website.fr-par.scw.cloud/{branch}/akkoma-{flavour}.zip
```
-Where branch is usually `stable` or `develop`, and `flavour` is
+Where branch is usually `stable` and `flavour` is
the one [that you detect on install](../otp_en/#detecting-flavour).
So, for an AMD64 stable install, your update URL will be
end)
end
+ def run(["dump_to_file", group, key, fname]) do
+ check_configdb(fn ->
+ start_pleroma()
+
+ group = maybe_atomize(group)
+ key = maybe_atomize(key)
+
+ config = ConfigDB.get_by_group_and_key(group, key)
+
+ json =
+ %{
+ group: ConfigDB.to_json_types(config.group),
+ key: ConfigDB.to_json_types(config.key),
+ value: ConfigDB.to_json_types(config.value)
+ }
+ |> Jason.encode!()
+ |> Jason.Formatter.pretty_print()
+
+ File.write(fname, json)
+ shell_info("Wrote #{group}_#{key}.json")
+ end)
+ end
+
+ def run(["load_from_file", fname]) do
+ check_configdb(fn ->
+ start_pleroma()
+
+ json = File.read!(fname)
+ config = Jason.decode!(json)
+ group = ConfigDB.to_elixir_types(config["group"])
+ key = ConfigDB.to_elixir_types(config["key"])
+ value = ConfigDB.to_elixir_types(config["value"])
+ params = %{group: group, key: key, value: value}
+
+ ConfigDB.update_or_create(params)
+ shell_info("Loaded #{config["group"]}, #{config["key"]}")
+ end)
+ end
+
def run(["groups"]) do
check_configdb(fn ->
start_pleroma()
build_cachex("banned_urls", default_ttl: :timer.hours(24 * 30), limit: 5_000),
build_cachex("translations", default_ttl: :timer.hours(24 * 30), limit: 2500),
build_cachex("instances", default_ttl: :timer.hours(24), ttl_interval: 1000, limit: 2500),
- build_cachex("request_signatures", default_ttl: :timer.hours(24 * 30), limit: 3000)
+ build_cachex("request_signatures", default_ttl: :timer.hours(24 * 30), limit: 3000),
+ build_cachex("rel_me", default_ttl: :timer.hours(24 * 30), limit: 300)
]
end
--- /dev/null
+defmodule Pleroma.Password do
+ @moduledoc """
+ This module handles password hashing and verification.
+ It will delegate to the appropriate module based on the password hash.
+ It also handles upgrading of password hashes.
+ """
+
+ alias Pleroma.User
+ alias Pleroma.Password.Pbkdf2
+ require Logger
+
+ @hashing_module Argon2
+
+ @spec hash_pwd_salt(String.t()) :: String.t()
+ defdelegate hash_pwd_salt(pass), to: @hashing_module
+
+ @spec checkpw(String.t(), String.t()) :: boolean()
+ def checkpw(password, "$2" <> _ = password_hash) do
+ # Handle bcrypt passwords for Mastodon migration
+ Bcrypt.verify_pass(password, password_hash)
+ end
+
+ def checkpw(password, "$pbkdf2" <> _ = password_hash) do
+ Pbkdf2.verify_pass(password, password_hash)
+ end
+
+ def checkpw(password, "$argon2" <> _ = password_hash) do
+ Argon2.verify_pass(password, password_hash)
+ end
+
+ def checkpw(_password, _password_hash) do
+ Logger.error("Password hash not recognized")
+ false
+ end
+
+ @spec maybe_update_password(User.t(), String.t()) :: {:ok, User.t()} | {:error, Ecto.Changeset.t()}
+ def maybe_update_password(%User{password_hash: "$2" <> _} = user, password) do
+ do_update_password(user, password)
+ end
+
+ def maybe_update_password(%User{password_hash: "$6" <> _} = user, password) do
+ do_update_password(user, password)
+ end
+
+ def maybe_update_password(%User{password_hash: "$pbkdf2" <> _} = user, password) do
+ do_update_password(user, password)
+ end
+
+ def maybe_update_password(user, _), do: {:ok, user}
+
+ defp do_update_password(user, password) do
+ User.reset_password(user, %{password: password, password_confirmation: password})
+ end
+end
|> validate_format(:nickname, @email_regex)
|> validate_length(:bio, max: bio_limit)
|> validate_length(:name, max: name_limit)
- |> validate_fields(true)
+ |> validate_fields(true, struct)
|> validate_non_local()
end
:pleroma_settings_store,
&{:ok, Map.merge(struct.pleroma_settings_store, &1)}
)
- |> validate_fields(false)
+ |> validate_fields(false, struct)
end
defp put_fields(changeset) do
defp put_password_hash(
%Ecto.Changeset{valid?: true, changes: %{password: password}} = changeset
) do
- change(changeset, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password))
+ change(changeset, password_hash: Pleroma.Password.hash_pwd_salt(password))
end
defp put_password_hash(changeset), do: changeset
|> update_and_set_cache()
end
- def validate_fields(changeset, remote? \\ false) do
+ @spec validate_fields(Ecto.Changeset.t(), Boolean.t(), User.t()) :: Ecto.Changeset.t()
+ def validate_fields(changeset, remote? \\ false, struct) do
limit_name = if remote?, do: :max_remote_account_fields, else: :max_account_fields
limit = Config.get([:instance, limit_name], 0)
[fields: "invalid"]
end
end)
+ |> maybe_validate_rel_me_field(struct)
end
defp valid_field?(%{"name" => name, "value" => value}) do
defp valid_field?(_), do: false
+ defp is_url(nil), do: nil
+
+ defp is_url(uri) do
+ case URI.parse(uri) do
+ %URI{host: nil} -> false
+ %URI{scheme: nil} -> false
+ _ -> true
+ end
+ end
+
+ @spec maybe_validate_rel_me_field(Changeset.t(), User.t()) :: Changeset.t()
+ defp maybe_validate_rel_me_field(changeset, %User{ap_id: _ap_id} = struct) do
+ fields = get_change(changeset, :fields)
+ raw_fields = get_change(changeset, :raw_fields)
+
+ if is_nil(fields) do
+ changeset
+ else
+ validate_rel_me_field(changeset, fields, raw_fields, struct)
+ end
+ end
+
+ defp maybe_validate_rel_me_field(changeset, _), do: changeset
+
+ @spec validate_rel_me_field(Changeset.t(), [Map.t()], [Map.t()], User.t()) :: Changeset.t()
+ defp validate_rel_me_field(changeset, fields, raw_fields, %User{
+ nickname: nickname,
+ ap_id: ap_id
+ }) do
+ fields =
+ fields
+ |> Enum.with_index()
+ |> Enum.map(fn {%{"name" => name, "value" => value}, index} ->
+ raw_value =
+ if is_nil(raw_fields) do
+ nil
+ else
+ Enum.at(raw_fields, index)["value"]
+ end
+
+ if is_url(raw_value) do
+ frontend_url =
+ Pleroma.Web.Router.Helpers.redirect_url(
+ Pleroma.Web.Endpoint,
+ :redirector_with_meta,
+ nickname
+ )
+
+ possible_urls = [ap_id, frontend_url]
+
+ with "me" <- RelMe.maybe_put_rel_me(raw_value, possible_urls) do
+ %{
+ "name" => name,
+ "value" => value,
+ "verified_at" => DateTime.to_iso8601(DateTime.utc_now())
+ }
+ else
+ e ->
+ Logger.error("Could not check for rel=me, #{inspect(e)}")
+ %{"name" => name, "value" => value}
+ end
+ else
+ %{"name" => name, "value" => value}
+ end
+ end)
+
+ put_change(changeset, :fields, fields)
+ end
+
defp truncate_field(%{"name" => name, "value" => value}) do
{name, _chopped} =
String.split_at(name, Config.get([:instance, :account_field_name_length], 255))
# - display name
def sanitize_html(%User{} = user, filter) do
fields =
- Enum.map(user.fields, fn %{"name" => name, "value" => value} ->
- %{
- "name" => name,
- "value" => HTML.filter_tags(value, Pleroma.HTML.Scrubber.LinksOnly)
- }
+ Enum.map(user.fields, fn %{"value" => value} = field ->
+ Map.put(field, "value", HTML.filter_tags(value, Pleroma.HTML.Scrubber.LinksOnly))
end)
user
alias Pleroma.Registration
alias Pleroma.Repo
alias Pleroma.User
- alias Pleroma.Web.Plugs.AuthenticationPlug
import Pleroma.Web.Auth.Helpers, only: [fetch_credentials: 1, fetch_user: 1]
def get_user(%Plug.Conn{} = conn) do
with {:ok, {name, password}} <- fetch_credentials(conn),
{_, %User{} = user} <- {:user, fetch_user(name)},
- {_, true} <- {:checkpw, AuthenticationPlug.checkpw(password, user.password_hash)},
- {:ok, user} <- AuthenticationPlug.maybe_update_password(user, password) do
+ {_, true} <- {:checkpw, Pleroma.Password.checkpw(password, user.password_hash)},
+ {:ok, user} <- Pleroma.Password.maybe_update_password(user, password) do
{:ok, user}
else
{:error, _reason} = error -> error
alias Pleroma.MFA
alias Pleroma.MFA.TOTP
alias Pleroma.User
- alias Pleroma.Web.Plugs.AuthenticationPlug
@doc "Verify code or check backup code."
@spec verify(String.t(), User.t()) ::
code
)
when is_list(codes) and is_binary(code) do
- hash_code = Enum.find(codes, fn hash -> AuthenticationPlug.checkpw(code, hash) end)
+ hash_code = Enum.find(codes, fn hash -> Pleroma.Password.checkpw(code, hash) end)
if hash_code do
MFA.invalidate_backup_code(user, hash_code)
alias Pleroma.Web.ActivityPub.Visibility
alias Pleroma.Web.CommonAPI.ActivityDraft
alias Pleroma.Web.MediaProxy
- alias Pleroma.Web.Plugs.AuthenticationPlug
alias Pleroma.Web.Utils.Params
require Logger
@spec confirm_current_password(User.t(), String.t()) :: {:ok, User.t()} | {:error, String.t()}
def confirm_current_password(user, password) do
with %User{local: true} = db_user <- User.get_cached_by_id(user.id),
- true <- AuthenticationPlug.checkpw(password, db_user.password_hash) do
+ true <- Pleroma.Password.checkpw(password, db_user.password_hash) do
{:ok, db_user}
else
_ -> {:error, dgettext("errors", "Invalid password.")}
alias Pleroma.Repo
alias Pleroma.User
- alias Pleroma.Web.Plugs.AuthenticationPlug
alias Pleroma.Web.Plugs.RateLimiter
plug(RateLimiter, [name: :authentication] when action in [:user_exists, :check_password])
def check_password(conn, %{"user" => username, "pass" => password}) do
with %User{password_hash: password_hash, is_active: true} <-
Repo.get_by(User, nickname: username, local: true),
- true <- AuthenticationPlug.checkpw(password, password_hash) do
+ true <- Pleroma.Password.checkpw(password, password_hash) do
conn
|> json(true)
else
alias Pleroma.Helpers.AuthHelper
alias Pleroma.User
+ alias Pleroma.Password
import Plug.Conn
} = conn,
_
) do
- if checkpw(password, password_hash) do
- {:ok, auth_user} = maybe_update_password(auth_user, password)
+ if Password.checkpw(password, password_hash) do
+ {:ok, auth_user} = Password.maybe_update_password(auth_user, password)
conn
|> assign(:user, auth_user)
def call(conn, _), do: conn
- def checkpw(password, "$6" <> _ = password_hash) do
- :crypt.crypt(password, password_hash) == password_hash
- end
-
- def checkpw(password, "$2" <> _ = password_hash) do
- # Handle bcrypt passwords for Mastodon migration
- Bcrypt.verify_pass(password, password_hash)
- end
-
- def checkpw(password, "$pbkdf2" <> _ = password_hash) do
- Pleroma.Password.Pbkdf2.verify_pass(password, password_hash)
- end
-
- def checkpw(_password, _password_hash) do
- Logger.error("Password hash not recognized")
- false
- end
-
- def maybe_update_password(%User{password_hash: "$2" <> _} = user, password) do
- do_update_password(user, password)
- end
-
- def maybe_update_password(%User{password_hash: "$6" <> _} = user, password) do
- do_update_password(user, password)
- end
-
- def maybe_update_password(user, _), do: {:ok, user}
-
- defp do_update_password(user, password) do
- User.reset_password(user, %{password: password, password_confirmation: password})
- end
+ @spec checkpw(String.t(), String.t()) :: boolean
+ defdelegate checkpw(password, hash), to: Password
end
def maybe_put_rel_me("http" <> _ = target_page, profile_urls) when is_list(profile_urls) do
{:ok, rel_me_hrefs} = parse(target_page)
-
true = Enum.any?(rel_me_hrefs, fn x -> x in profile_urls end)
"me"
rescue
- _ -> nil
+ e -> nil
end
def maybe_put_rel_me(_, _) do
{:sweet_xml, "~> 0.7.2"},
{:earmark, "~> 1.4.15"},
{:bbcode_pleroma, "~> 0.2.0"},
- {:crypt,
- git: "https://github.com/msantos/crypt.git",
- ref: "f75cd55325e33cbea198fb41fe41871392f8fb76"},
+ {:argon2_elixir, "~> 3.0.0"},
{:cors_plug, "~> 2.0"},
{:web_push_encryption, "~> 0.3.1"},
{:swoosh, "~> 1.0"},
%{
+ "argon2_elixir": {:hex, :argon2_elixir, "3.0.0", "fd4405f593e77b525a5c667282172dd32772d7c4fa58cdecdaae79d2713b6c5f", [:make, :mix], [{:comeonin, "~> 5.3", [hex: :comeonin, repo: "hexpm", optional: false]}, {:elixir_make, "~> 0.6", [hex: :elixir_make, repo: "hexpm", optional: false]}], "hexpm", "8b753b270af557d51ba13fcdebc0f0ab27a2a6792df72fd5a6cf9cfaffcedc57"},
"base62": {:hex, :base62, "1.2.2", "85c6627eb609317b70f555294045895ffaaeb1758666ab9ef9ca38865b11e629", [:mix], [{:custom_base, "~> 0.2.1", [hex: :custom_base, repo: "hexpm", optional: false]}], "hexpm", "d41336bda8eaa5be197f1e4592400513ee60518e5b9f4dcf38f4b4dae6f377bb"},
"bbcode_pleroma": {:hex, :bbcode_pleroma, "0.2.0", "d36f5bca6e2f62261c45be30fa9b92725c0655ad45c99025cb1c3e28e25803ef", [:mix], [{:nimble_parsec, "~> 0.5", [hex: :nimble_parsec, repo: "hexpm", optional: false]}], "hexpm", "19851074419a5fedb4ef49e1f01b30df504bb5dbb6d6adfc135238063bebd1c3"},
"bcrypt_elixir": {:hex, :bcrypt_elixir, "2.3.1", "5114d780459a04f2b4aeef52307de23de961b69e13a5cd98a911e39fda13f420", [:make, :mix], [{:comeonin, "~> 5.3", [hex: :comeonin, repo: "hexpm", optional: false]}, {:elixir_make, "~> 0.6", [hex: :elixir_make, repo: "hexpm", optional: false]}], "hexpm", "42182d5f46764def15bf9af83739e3bf4ad22661b1c34fc3e88558efced07279"},
"cowboy_telemetry": {:hex, :cowboy_telemetry, "0.3.1", "ebd1a1d7aff97f27c66654e78ece187abdc646992714164380d8a041eda16754", [:rebar3], [{:cowboy, "~> 2.7", [hex: :cowboy, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "3a6efd3366130eab84ca372cbd4a7d3c3a97bdfcfb4911233b035d117063f0af"},
"cowlib": {:hex, :cowlib, "2.11.0", "0b9ff9c346629256c42ebe1eeb769a83c6cb771a6ee5960bd110ab0b9b872063", [:make, :rebar3], [], "hexpm", "2b3e9da0b21c4565751a6d4901c20d1b4cc25cbb7fd50d91d2ab6dd287bc86a9"},
"credo": {:git, "https://github.com/rrrene/credo.git", "1c1b99ea41a457761383d81aaf6a606913996fe7", [ref: "1c1b99ea41a457761383d81aaf6a606913996fe7"]},
- "crypt": {:git, "https://github.com/msantos/crypt.git", "f75cd55325e33cbea198fb41fe41871392f8fb76", [ref: "f75cd55325e33cbea198fb41fe41871392f8fb76"]},
"custom_base": {:hex, :custom_base, "0.2.1", "4a832a42ea0552299d81652aa0b1f775d462175293e99dfbe4d7dbaab785a706", [:mix], [], "hexpm", "8df019facc5ec9603e94f7270f1ac73ddf339f56ade76a721eaa57c1493ba463"},
"db_connection": {:hex, :db_connection, "2.4.3", "3b9aac9f27347ec65b271847e6baeb4443d8474289bd18c1d6f4de655b70c94d", [:mix], [{:connection, "~> 1.0", [hex: :connection, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "c127c15b0fa6cfb32eed07465e05da6c815b032508d4ed7c116122871df73c12"},
"decimal": {:hex, :decimal, "2.0.0", "a78296e617b0f5dd4c6caf57c714431347912ffb1d0842e998e9792b5642d697", [:mix], [], "hexpm", "34666e9c55dea81013e77d9d87370fe6cb6291d1ef32f46a1600230b1d44f577"},
{:ok, [code1, code2]} = MFA.generate_backup_codes(user)
updated_user = refresh_record(user)
[hash1, hash2] = updated_user.multi_factor_authentication_settings.backup_codes
- assert Pleroma.Password.Pbkdf2.verify_pass(code1, hash1)
- assert Pleroma.Password.Pbkdf2.verify_pass(code2, hash2)
+ assert Pleroma.Password.checkpw(code1, hash1)
+ assert Pleroma.Password.checkpw(code2, hash2)
end
end
--- /dev/null
+defmodule Pleroma.PasswordTest do
+ use Pleroma.DataCase, async: true
+ import Pleroma.Factory
+ import ExUnit.CaptureLog
+
+ alias Pleroma.Password
+
+ describe "hash_pwd_salt/1" do
+ test "returns a hash" do
+ assert "$argon2id" <> _ = Password.hash_pwd_salt("test")
+ end
+ end
+
+ describe "maybe_update_password/2" do
+ test "with a bcrypt hash, it updates to an argon2 hash" do
+ user = insert(:user, password_hash: Bcrypt.hash_pwd_salt("123"))
+ assert "$2" <> _ = user.password_hash
+
+ {:ok, user} = Password.maybe_update_password(user, "123")
+ assert "$argon2" <> _ = user.password_hash
+ end
+
+ test "with a pbkdf2 hash, it updates to an argon2 hash" do
+ user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("123"))
+ assert "$pbkdf2" <> _ = user.password_hash
+
+ {:ok, user} = Password.maybe_update_password(user, "123")
+ assert "$argon2" <> _ = user.password_hash
+ end
+ end
+
+ describe "checkpw/2" do
+ test "check pbkdf2 hash" do
+ hash =
+ "$pbkdf2-sha512$160000$loXqbp8GYls43F0i6lEfIw$AY.Ep.2pGe57j2hAPY635sI/6w7l9Q9u9Bp02PkPmF3OrClDtJAI8bCiivPr53OKMF7ph6iHhN68Rom5nEfC2A"
+
+ assert Password.checkpw("test-password", hash)
+ refute Password.checkpw("test-password1", hash)
+ end
+
+ test "check bcrypt hash" do
+ hash = "$2a$10$uyhC/R/zoE1ndwwCtMusK.TLVzkQ/Ugsbqp3uXI.CTTz0gBw.24jS"
+
+ assert Password.checkpw("password", hash)
+ refute Password.checkpw("password1", hash)
+ end
+
+ test "check argon2 hash" do
+ hash =
+ "$argon2id$v=19$m=65536,t=8,p=2$zEMMsTuK5KkL5AFWbX7jyQ$VyaQD7PF6e9btz0oH1YiAkWwIGZ7WNDZP8l+a/O171g"
+
+ assert Password.checkpw("password", hash)
+ refute Password.checkpw("password1", hash)
+ end
+
+ test "it returns false when hash invalid" do
+ hash =
+ "psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1"
+
+ assert capture_log(fn ->
+ refute Password.checkpw("password", hash)
+ end) =~ "[error] Password hash not recognized"
+ end
+ end
+end
conn: conn
} do
user = insert(:user)
- assert Pleroma.Password.Pbkdf2.verify_pass("test", user.password_hash)
+ assert Pleroma.Password.checkpw("test", user.password_hash)
basic_auth_contents =
(URI.encode_www_form(user.nickname) <> ":" <> URI.encode_www_form("test"))
user =
insert(:user,
nickname: name,
- password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password)
+ password_hash: Pleroma.Password.hash_pwd_salt(password)
)
{:ok, [user: user, name: name, password: password]}
assert {:ok, returned_user} = res
assert returned_user.id == user.id
- assert "$pbkdf2" <> _ = returned_user.password_hash
+ assert "$argon2" <> _ = returned_user.password_hash
end
test "get_user/authorization with invalid password", %{name: name} do
hashed_codes =
backup_codes
- |> Enum.map(&Pleroma.Password.Pbkdf2.hash_pwd_salt(&1))
+ |> Enum.map(&Pleroma.Password.hash_pwd_salt(&1))
user =
insert(:user,
]
end
+ test "update fields with a link to content with rel=me, with ap id", %{user: user, conn: conn} do
+ Tesla.Mock.mock(fn
+ %{url: "http://example.com/rel_me/ap_id"} ->
+ %Tesla.Env{
+ status: 200,
+ body: ~s[<html><head><link rel="me" href="#{user.ap_id}"></head></html>]
+ }
+ end)
+
+ field = %{name: "Website", value: "http://example.com/rel_me/ap_id"}
+
+ account_data =
+ conn
+ |> patch("/api/v1/accounts/update_credentials", %{fields_attributes: [field]})
+ |> json_response_and_validate_schema(200)
+
+ assert [
+ %{
+ "name" => "Website",
+ "value" =>
+ ~s[<a href="http://example.com/rel_me/ap_id" rel="ugc">http://example.com/rel_me/ap_id</a>],
+ "verified_at" => verified_at
+ }
+ ] = account_data["fields"]
+
+ {:ok, verified_at, _} = DateTime.from_iso8601(verified_at)
+ assert DateTime.diff(DateTime.utc_now(), verified_at) < 10
+ end
+
+ test "update fields with a link to content with rel=me, with frontend path", %{
+ user: user,
+ conn: conn
+ } do
+ fe_url = "#{Pleroma.Web.Endpoint.url()}/#{user.nickname}"
+
+ Tesla.Mock.mock(fn
+ %{url: "http://example.com/rel_me/fe_path"} ->
+ %Tesla.Env{
+ status: 200,
+ body: ~s[<html><head><link rel="me" href="#{fe_url}"></head></html>]
+ }
+ end)
+
+ field = %{name: "Website", value: "http://example.com/rel_me/fe_path"}
+
+ account_data =
+ conn
+ |> patch("/api/v1/accounts/update_credentials", %{fields_attributes: [field]})
+ |> json_response_and_validate_schema(200)
+
+ assert [
+ %{
+ "name" => "Website",
+ "value" =>
+ ~s[<a href="http://example.com/rel_me/fe_path" rel="ugc">http://example.com/rel_me/fe_path</a>],
+ "verified_at" => verified_at
+ }
+ ] = account_data["fields"]
+
+ {:ok, verified_at, _} = DateTime.from_iso8601(verified_at)
+ assert DateTime.diff(DateTime.utc_now(), verified_at) < 10
+ end
+
test "emojis in fields labels", %{conn: conn} do
fields = [
%{name: ":firefox:", value: "is best 2hu"},
end
test "/check_password", %{conn: conn} do
- user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("cool"))
+ user = insert(:user, password_hash: Pleroma.Password.hash_pwd_salt("cool"))
_deactivated_user =
insert(:user,
nickname: "konata",
is_active: false,
- password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("cool")
+ password_hash: Pleroma.Password.hash_pwd_salt("cool")
)
res =
@tag @skip
test "authorizes the existing user using LDAP credentials" do
password = "testpassword"
- user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password))
+ user = insert(:user, password_hash: Pleroma.Password.hash_pwd_salt(password))
app = insert(:oauth_app, scopes: ["read", "write"])
host = Pleroma.Config.get([:ldap, :host]) |> to_charlist
@tag @skip
test "disallow authorization for wrong LDAP credentials" do
password = "testpassword"
- user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password))
+ user = insert(:user, password_hash: Pleroma.Password.hash_pwd_salt(password))
app = insert(:oauth_app, scopes: ["read", "write"])
host = Pleroma.Config.get([:ldap, :host]) |> to_charlist
insert(:user,
multi_factor_authentication_settings: %MFA.Settings{
enabled: true,
- backup_codes: [Pleroma.Password.Pbkdf2.hash_pwd_salt("test-code")],
+ backup_codes: [Pleroma.Password.hash_pwd_salt("test-code")],
totp: %MFA.Settings.TOTP{secret: otp_secret, confirmed: true}
}
)
hashed_codes =
backup_codes
- |> Enum.map(&Pleroma.Password.Pbkdf2.hash_pwd_salt(&1))
+ |> Enum.map(&Pleroma.Password.hash_pwd_salt(&1))
user =
insert(:user,
app: app,
conn: conn
} do
- user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("testpassword"))
+ user = insert(:user, password_hash: Pleroma.Password.hash_pwd_salt("testpassword"))
registration = insert(:registration, user: nil)
redirect_uri = OAuthController.default_redirect_uri(app)
app: app,
conn: conn
} do
- user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("testpassword"))
+ user = insert(:user, password_hash: Pleroma.Password.hash_pwd_salt("testpassword"))
registration = insert(:registration, user: nil)
unlisted_redirect_uri = "http://cross-site-request.com"
test "issues a token for `password` grant_type with valid credentials, with full permissions by default" do
password = "testpassword"
- user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password))
+ user = insert(:user, password_hash: Pleroma.Password.hash_pwd_salt(password))
app = insert(:oauth_app, scopes: ["read", "write"])
user =
insert(:user,
- password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password),
+ password_hash: Pleroma.Password.hash_pwd_salt(password),
multi_factor_authentication_settings: %MFA.Settings{
enabled: true,
totp: %MFA.Settings.TOTP{secret: otp_secret, confirmed: true}
password = "testpassword"
{:ok, user} =
- insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password))
+ insert(:user, password_hash: Pleroma.Password.hash_pwd_salt(password))
|> User.confirmation_changeset(set_confirmation: false)
|> User.update_and_set_cache()
user =
insert(:user,
- password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password),
+ password_hash: Pleroma.Password.hash_pwd_salt(password),
is_active: false
)
user =
insert(:user,
- password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password),
+ password_hash: Pleroma.Password.hash_pwd_salt(password),
password_reset_pending: true
)
user =
insert(:user,
- password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password),
+ password_hash: Pleroma.Password.hash_pwd_salt(password),
is_confirmed: false
)
user =
insert(:user,
- password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password),
+ password_hash: Pleroma.Password.hash_pwd_salt(password),
is_approved: false
)
user = %User{
id: 1,
name: "dude",
- password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("guy")
+ password_hash: Pleroma.Password.hash_pwd_salt("guy")
}
conn =
assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)
end
- test "with a bcrypt hash, it updates to a pkbdf2 hash", %{conn: conn} do
+ test "with a bcrypt hash, it updates to an argon2 hash", %{conn: conn} do
user = insert(:user, password_hash: Bcrypt.hash_pwd_salt("123"))
assert "$2" <> _ = user.password_hash
assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)
user = User.get_by_id(user.id)
- assert "$pbkdf2" <> _ = user.password_hash
+ assert "$argon2" <> _ = user.password_hash
end
- @tag :skip_on_mac
- test "with a crypt hash, it updates to a pkbdf2 hash", %{conn: conn} do
- user =
- insert(:user,
- password_hash:
- "$6$9psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1"
- )
+ test "with a pbkdf2 hash, it updates to an argon2 hash", %{conn: conn} do
+ user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("123"))
+ assert "$pbkdf2" <> _ = user.password_hash
conn =
conn
|> assign(:auth_user, user)
- |> assign(:auth_credentials, %{password: "password"})
+ |> assign(:auth_credentials, %{password: "123"})
|> AuthenticationPlug.call(%{})
assert conn.assigns.user.id == conn.assigns.auth_user.id
assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)
user = User.get_by_id(user.id)
- assert "$pbkdf2" <> _ = user.password_hash
+ assert "$argon2" <> _ = user.password_hash
end
describe "checkpw/2" do
refute AuthenticationPlug.checkpw("test-password1", hash)
end
- @tag :skip_on_mac
- test "check sha512-crypt hash" do
- hash =
- "$6$9psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1"
+ test "check bcrypt hash" do
+ hash = "$2a$10$uyhC/R/zoE1ndwwCtMusK.TLVzkQ/Ugsbqp3uXI.CTTz0gBw.24jS"
assert AuthenticationPlug.checkpw("password", hash)
+ refute AuthenticationPlug.checkpw("password1", hash)
end
- test "check bcrypt hash" do
- hash = "$2a$10$uyhC/R/zoE1ndwwCtMusK.TLVzkQ/Ugsbqp3uXI.CTTz0gBw.24jS"
+ test "check argon2 hash" do
+ hash =
+ "$argon2id$v=19$m=65536,t=8,p=2$zEMMsTuK5KkL5AFWbX7jyQ$VyaQD7PF6e9btz0oH1YiAkWwIGZ7WNDZP8l+a/O171g"
assert AuthenticationPlug.checkpw("password", hash)
refute AuthenticationPlug.checkpw("password1", hash)
assert response =~ "<h2>Password changed!</h2>"
user = refresh_record(user)
- assert Pleroma.Password.Pbkdf2.verify_pass("test", user.password_hash)
+ assert Pleroma.Password.checkpw("test", user.password_hash)
assert Enum.empty?(Token.get_user_tokens(user))
end
assert json_response_and_validate_schema(conn, 200) == %{"status" => "success"}
fetched_user = User.get_cached_by_id(user.id)
- assert Pleroma.Password.Pbkdf2.verify_pass("newpass", fetched_user.password_hash) == true
+ assert Pleroma.Password.checkpw("newpass", fetched_user.password_hash) == true
end
end
email: "test@example.org",
name: "Test Name",
nickname: "testname",
- password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("test"),
+ password_hash: Pleroma.Password.hash_pwd_salt("test"),
bio: "A tester.",
ap_id: "some id",
last_digest_emailed_at: NaiveDateTime.truncate(NaiveDateTime.utc_now(), :second),
def user_factory(attrs \\ %{}) do
pem = Enum.random(@rsa_keys)
+ # Argon2.hash_pwd_salt("test")
+ # it really eats CPU time, so we use a precomputed hash
+ password_hash =
+ "$argon2id$v=19$m=65536,t=8,p=2$FEAarFuiOsROO24NHIHMYw$oxdaz2fTPpuU+dYCl60FsqE65T1Tjy6lGikKfmql4xo"
user = %User{
name: sequence(:name, &"Test テスト User #{&1}"),
email: sequence(:email, &"user#{&1}@example.com"),
nickname: sequence(:nickname, &"nick#{&1}"),
- password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("test"),
+ password_hash: password_hash,
bio: sequence(:bio, &"Tester Number #{&1}"),
is_discoverable: true,
last_digest_emailed_at: NaiveDateTime.utc_now(),