fix(authentication): only check argon2id salt for b64 encoding (#2529)

This changes the validation of salts for sha512 to be done by the upstream API rather than locally. This allows the salts used in Linux to be utilized with Authelia provided the hash is a sha512 hash. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-11-05 14:49:45 +11:00 · 2021-11-05 14:49:45 +11:00 · 1ea94dd403
parent eae353e315
commit 1ea94dd403
1 changed files with 10 additions and 8 deletions
--- a/internal/authentication/password_hash.go
+++ b/internal/authentication/password_hash.go
@ -56,11 +56,6 @@ func ParseHash(hash string) (passwordHash *PasswordHash, err error) {
 		return nil, fmt.Errorf("Hash key contains no characters or the field length is invalid (%s)", hash)
 	}

-	_, err = crypt.Base64Encoding.DecodeString(h.Salt)
-	if err != nil {
-		return nil, errors.New("Salt contains invalid base64 characters")
-	}
-
 	switch code {
 	case HashingAlgorithmSHA512:
 		h.Iterations = parameters.GetInt("rounds", HashingDefaultSHA512Iterations)
@ -70,6 +65,11 @@ func ParseHash(hash string) (passwordHash *PasswordHash, err error) {
 			return nil, fmt.Errorf("SHA512 iterations is not numeric (%s)", parameters["rounds"])
 		}
 	case HashingAlgorithmArgon2id:
+		_, err = crypt.Base64Encoding.DecodeString(h.Salt)
+		if err != nil {
+			return nil, errors.New("Salt contains invalid base64 characters")
+		}
+
 		version := parameters.GetInt("v", 0)
 		if version < 19 {
 			if version == 0 {
@ -118,9 +118,11 @@ func HashPassword(password, salt string, algorithm CryptAlgo, iterations, memory
 		}
 	}

-	err = validateSalt(salt, saltLength)
-	if err != nil {
-		return "", err
+	if algorithm != HashingAlgorithmSHA512 {
+		err = validateSalt(salt, saltLength)
+		if err != nil {
+			return "", err
+		}
 	}

 	if salt == "" {