Add password_iter option

This commit is contained in:
Reynir Björnsson 2021-01-21 12:01:47 +01:00
parent 23ca1beb05
commit a6fe9ada45
3 changed files with 13 additions and 7 deletions

View file

@ -40,9 +40,8 @@ let user_info_of_sexp =
let h count salt password =
Pbkdf.pbkdf2 ~prf ~count ~dk_len ~salt ~password:(Cstruct.of_string password)
let hash ~username ~password =
let hash ?(password_iter=default_count) ~username ~password () =
let salt = Mirage_crypto_rng.generate 16 in
let password_iter = default_count in
let password_hash = h password_iter salt password in
{ username; password_hash; password_salt = salt; password_iter }

View file

@ -125,7 +125,7 @@ let do_migrate dbpath =
let migrate () dbpath =
or_die 1 (do_migrate dbpath)
let user_mod action dbpath username =
let user_mod action dbpath password_iter username =
let r =
Caqti_blocking.connect
(Uri.make ~scheme:"sqlite3" ~path:dbpath ~query:["create", ["false"]] ())
@ -134,7 +134,7 @@ let user_mod action dbpath username =
flush stdout;
(* FIXME: getpass *)
let password = read_line () in
let user_info = Builder_web_auth.hash ~username ~password in
let user_info = Builder_web_auth.hash ?password_iter ~username ~password () in
match action with
| `Add ->
Db.exec Builder_db.User.add user_info
@ -192,6 +192,12 @@ let username =
pos 0 (some string) None &
info ~doc ~docv:"USERNAME" [])
let password_iter =
let doc = "password hash count" in
Cmdliner.Arg.(value &
opt (some int) None &
info ~doc ["hash-count"])
let datadir =
let doc = Cmdliner.Arg.info ~doc:"builder data dir" ["datadir"] in
Cmdliner.Arg.(value &
@ -227,12 +233,12 @@ let add_cmd =
let user_add_cmd =
let doc = "add a user" in
(Cmdliner.Term.(pure user_add $ setup_log $ dbpath $ username),
(Cmdliner.Term.(pure user_add $ setup_log $ dbpath $ password_iter $ username),
Cmdliner.Term.info ~doc "user-add")
let user_update_cmd =
let doc = "update a user password" in
(Cmdliner.Term.(pure user_add $ setup_log $ dbpath $ username),
(Cmdliner.Term.(pure user_add $ setup_log $ dbpath $ password_iter $ username),
Cmdliner.Term.info ~doc "user-update")
let user_remove_cmd =

View file

@ -57,7 +57,8 @@ let authorized t handler = fun req ->
then handler req
else Lwt.return unauthorized
| Ok None ->
ignore (Builder_web_auth.hash ~username ~password);
let _ : Builder_web_auth.user_info =
Builder_web_auth.hash ~username ~password () in
Lwt.return unauthorized
| Error e ->
Log.warn (fun m -> m "Error getting user: %a" pp_error e);