New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
15278 Hash password reset token securely #18022
Conversation
/** | ||
* Hash algorithm used to create the password reset token. | ||
*/ | ||
const TOKEN_HASH_ALGO = 'sha3-512'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fyi would maybe need to check if this hash algo is available and if not fall back to a different one
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to PHP hash_algos(), support for sha3-512 was added in PHP7.1, and the minimum requirement for Matomo is PHP7.2.
I'm still not totally happy with using a hash algorithm that is optimized to be calculated as fast as possible on modern hardware instead of one intended for cryptographic use and optimized to be rather slow like bcrypt or argon2. But calling them directly outside of Also this is a bit out of the scope of this issue, but I got the feeling that a password reset token is more a topic of cryptographically signing the data that needs verification instead of hashing it. |
Okay, I looked into the password reset process a bit more and am now even more confused as to why we need this hash at all. I always assumed the password reset was not stored server side at all, but Matomo actually stores the information about the password server side: matomo/plugins/Login/PasswordResetter.php Lines 509 to 521 in d2dd657
But if we are already doing this, then we could simplify the password reset by a lot without any insecure hashes, weird shuffeling around of characters and many ways to mess this up in a security critical way. |
@Findus23 The token isn't stored. It's tried to be regenerated based on the given user and the possible reset time range. See matomo/plugins/Login/PasswordResetter.php Lines 248 to 262 in 7e82e80
|
@sgiehl But the |
I'm not sure if changing the hash algorithm for that specific part has any advantages or not. |
@sgiehl that circles back to my first implementation attempt. The thing with the config option is it's for a slightly different purpose, and could (and really should) be set to an algorithm that has varying results for the same input. |
I guess currently is expected behavior that |
Seems we're already storing parts of the token in |
In my opinion it be fine if any sent password reset link before the Matomo update to this version will break if they try to click after the Matomo update. AKA any link generated from keySuffix will no longer work. But since links are only valid for 24 hours + they are clicked usually right after requesting the link it should be fine. |
If you don't want this PR to be closed automatically in 28 days then you need to assign the label 'Do not close'. |
This PR was last updated more than one month ago, maybe it's time to close it. Please check if there is anything we still can do or close this PR. ping @matomo-org/core-reviewers |
Description:
This proposed fix for #15278 hashes the password reset token securely, and returns the same results every time the hash is created with the same data. I chose the ssh3-512 algorithm as it seems to be a decent balance between a secure hash and the time it takes to generate the hash.