From ec60bcbfbcf94e6e69d0f29fae50c8ea78e26d90 Mon Sep 17 00:00:00 2001 From: Pawel Date: Wed, 14 Jan 2026 12:35:55 +0000 Subject: [PATCH 1/2] Upgraded Password Validation/Rehashing in API.pm --- lib/GADS.pm | 2 +- lib/GADS/API.pm | 16 ++++++++++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/lib/GADS.pm b/lib/GADS.pm index 62ba1fa71..d992b0987 100644 --- a/lib/GADS.pm +++ b/lib/GADS.pm @@ -86,7 +86,7 @@ use WWW::Mechanize::Chrome; use Dancer2; # Last to stop Moo generating conflicting namespace use Dancer2::Plugin::DBIC; use Dancer2::Plugin::Auth::Extensible; -use Dancer2::Plugin::Auth::Extensible::Provider::DBIC 0.623; +use Dancer2::Plugin::Auth::Extensible::Provider::DBIC 0.625; use Dancer2::Plugin::LogReport 'linkspace'; use GADS::API; # API routes diff --git a/lib/GADS/API.pm b/lib/GADS/API.pm index c0a92b940..329aed9cf 100644 --- a/lib/GADS/API.pm +++ b/lib/GADS/API.pm @@ -28,6 +28,7 @@ use URI::Escape qw/uri_escape_utf8/; use Dancer2 appname => 'GADS'; use Dancer2::Plugin::Auth::Extensible; +use Dancer2::Plugin::CryptPassphrase; use Dancer2::Plugin::DBIC; use Dancer2::Plugin::LogReport 'linkspace'; @@ -56,8 +57,19 @@ my $verify_user_password_sub = sub { username => $args{username}, })->next; - $user && Crypt::SaltedHash->validate($user->password, $args{password}) - and return ($client->id, undef, undef, $user->id); + if ($user) { + my $stored = $user->password; + + if (crypt_passphrase->verify_password($args{password}, $stored)) { + return ($client->id, undef, undef, $user->id); + } + if (Crypt::SaltedHash->validate($stored, $args{password})) { + my $new_hash = crypt_passphrase->hash_password($args{password}); + $user->update({ password => $new_hash }); + + return ($client->id, undef, undef, $user->id); + } + } return (0, 'access_denied'); }; From fcd80b70e7928bd583f1daea211f10bfcecf7b70 Mon Sep 17 00:00:00 2001 From: Pawel Date: Wed, 24 Jun 2026 11:33:51 +0100 Subject: [PATCH 2/2] Improved rehashing future-proofing for modern algorithms --- lib/GADS/API.pm | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/lib/GADS/API.pm b/lib/GADS/API.pm index 329aed9cf..93d315380 100644 --- a/lib/GADS/API.pm +++ b/lib/GADS/API.pm @@ -60,18 +60,17 @@ my $verify_user_password_sub = sub { if ($user) { my $stored = $user->password; - if (crypt_passphrase->verify_password($args{password}, $stored)) { - return ($client->id, undef, undef, $user->id); + if (!crypt_passphrase->verify_password($args{password}, $stored)) { + return (0, 'access_denied'); } - if (Crypt::SaltedHash->validate($stored, $args{password})) { + if (crypt_passphrase->needs_rehash($stored)) { my $new_hash = crypt_passphrase->hash_password($args{password}); $user->update({ password => $new_hash }); - return ($client->id, undef, undef, $user->id); } } - - return (0, 'access_denied'); + + return ($client->id, undef, undef, $user->id); }; my $store_access_token_sub = sub {