From ec60bcbfbcf94e6e69d0f29fae50c8ea78e26d90 Mon Sep 17 00:00:00 2001
From: Pawel
Date: Wed, 14 Jan 2026 12:35:55 +0000
Subject: [PATCH 1/2] Upgraded Password Validation/Rehashing in API.pm
---
lib/GADS.pm | 2 +-
lib/GADS/API.pm | 16 ++++++++++++++--
2 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/lib/GADS.pm b/lib/GADS.pm
index 62ba1fa71..d992b0987 100644
--- a/lib/GADS.pm
+++ b/lib/GADS.pm
@@ -86,7 +86,7 @@ use WWW::Mechanize::Chrome;
use Dancer2; # Last to stop Moo generating conflicting namespace
use Dancer2::Plugin::DBIC;
use Dancer2::Plugin::Auth::Extensible;
-use Dancer2::Plugin::Auth::Extensible::Provider::DBIC 0.623;
+use Dancer2::Plugin::Auth::Extensible::Provider::DBIC 0.625;
use Dancer2::Plugin::LogReport 'linkspace';
use GADS::API; # API routes
diff --git a/lib/GADS/API.pm b/lib/GADS/API.pm
index c0a92b940..329aed9cf 100644
--- a/lib/GADS/API.pm
+++ b/lib/GADS/API.pm
@@ -28,6 +28,7 @@ use URI::Escape qw/uri_escape_utf8/;
use Dancer2 appname => 'GADS';
use Dancer2::Plugin::Auth::Extensible;
+use Dancer2::Plugin::CryptPassphrase;
use Dancer2::Plugin::DBIC;
use Dancer2::Plugin::LogReport 'linkspace';
@@ -56,8 +57,19 @@ my $verify_user_password_sub = sub {
username => $args{username},
})->next;
- $user && Crypt::SaltedHash->validate($user->password, $args{password})
- and return ($client->id, undef, undef, $user->id);
+ if ($user) {
+ my $stored = $user->password;
+
+ if (crypt_passphrase->verify_password($args{password}, $stored)) {
+ return ($client->id, undef, undef, $user->id);
+ }
+ if (Crypt::SaltedHash->validate($stored, $args{password})) {
+ my $new_hash = crypt_passphrase->hash_password($args{password});
+ $user->update({ password => $new_hash });
+
+ return ($client->id, undef, undef, $user->id);
+ }
+ }
return (0, 'access_denied');
};
From fcd80b70e7928bd583f1daea211f10bfcecf7b70 Mon Sep 17 00:00:00 2001
From: Pawel
Date: Wed, 24 Jun 2026 11:33:51 +0100
Subject: [PATCH 2/2] Improved rehashing future-proofing for modern algorithms
---
lib/GADS/API.pm | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/lib/GADS/API.pm b/lib/GADS/API.pm
index 329aed9cf..93d315380 100644
--- a/lib/GADS/API.pm
+++ b/lib/GADS/API.pm
@@ -60,18 +60,17 @@ my $verify_user_password_sub = sub {
if ($user) {
my $stored = $user->password;
- if (crypt_passphrase->verify_password($args{password}, $stored)) {
- return ($client->id, undef, undef, $user->id);
+ if (!crypt_passphrase->verify_password($args{password}, $stored)) {
+ return (0, 'access_denied');
}
- if (Crypt::SaltedHash->validate($stored, $args{password})) {
+ if (crypt_passphrase->needs_rehash($stored)) {
my $new_hash = crypt_passphrase->hash_password($args{password});
$user->update({ password => $new_hash });
- return ($client->id, undef, undef, $user->id);
}
}
-
- return (0, 'access_denied');
+
+ return ($client->id, undef, undef, $user->id);
};
my $store_access_token_sub = sub {