1433: Create user hashing for Koblenz #1499
Conversation
ztefanie
requested review from
steffenkleinle,
f1sh1918 and
seluianova
as code owners
| throw Exception("Invalid Json input for hashing") | ||
| } | ||
|
|
||
| val pepper = Environment.getVariable(KOBLENZ_PEPPER_SYS_ENV) //TODO handle if Null |
There was a problem hiding this comment.
What error handling do we want, if the env var cannot be accesed / is not set?
There was a problem hiding this comment.
just added a basic exception. Do we need a separate exception for that?
ztefanie
force-pushed
the
1433-create-argon2-user-hashing-for-koblenz
branch
2 times, most recently
from
29ec97a
to
df38492
Compare
ztefanie
force-pushed
the
1433-create-argon2-user-hashing-for-koblenz
branch
from
df38492
to
38164c7
Compare
There was a problem hiding this comment.
I'm a little bit confused here about the scope of this task and probably there was a misunderstanding. Seems like i didn't explain this clear enough in the issue :/
I expected in this task: (#1433)
- create a UserInfoModel (name, birthday, referenceNr)
- hash this model with
argon2id - create tests for the hashing
- provide sample input and output data to koblenz service provider.
For other tasks like CardCreation we have different tasks, f.e.
#1421
...main/kotlin/app/ehrenamtskarte/backend/verification/webservice/schema/CardMutationService.kt
Outdated
Show resolved
Hide resolved
ztefanie
force-pushed
the
1433-create-argon2-user-hashing-for-koblenz
branch
2 times, most recently
from
2495c6a
to
ac86f6f
Compare
ztefanie
force-pushed
the
1433-create-argon2-user-hashing-for-koblenz
branch
from
ac86f6f
to
f67524a
Compare
backend/src/main/kotlin/app/ehrenamtskarte/backend/verification/CanonicalJson.kt
Outdated
Show resolved
Hide resolved
backend/src/main/kotlin/app/ehrenamtskarte/backend/verification/Argon2IdHasher.kt
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Nice implementation!
Added some minor comments
Unfortunately i can not start the backend receiving this error
Exception in thread "main" java.lang.Error: Required project 'koblenz.pass.app' not found!
at app.ehrenamtskarte.backend.regions.database.SetupKt.insertOrUpdateRegions$createOrUpdateRegion(Setup.kt:21)
at app.ehrenamtskarte.backend.regions.database.SetupKt.access$insertOrUpdateRegions$createOrUpdateRegion(Setup.kt:1)
at app.ehrenamtskarte.backend.regions.database.SetupKt$insertOrUpdateRegions$1.invoke(Setup.kt:61)
at app.ehrenamtskarte.backend.regions.database.SetupKt$insertOrUpdateRegions$1.invoke(Setup.kt:38)
```
backend/src/main/kotlin/app/ehrenamtskarte/backend/verification/Argon2IdHasher.kt
Outdated
Show resolved
Hide resolved
backend/src/main/kotlin/app/ehrenamtskarte/backend/verification/Argon2IdHasher.kt
Outdated
Show resolved
Hide resolved
@ztefanie You probably should talk to daniel and sven that we need some domain for koblenz. Just to prepare that |
I can start the backend with no problems, maybe some problem with your local setup. We can talk about this, when your vacation is over.
Not part of this issue.
Getting the domains for Koblenz is not part of this issue and not even related |
backend/src/main/kotlin/app/ehrenamtskarte/backend/common/webservice/Constants.kt
Outdated
Show resolved
Hide resolved
backend/src/main/kotlin/app/ehrenamtskarte/backend/verification/Argon2IdHasher.kt
Outdated
Show resolved
Hide resolved
| - The birthday is defined in our protobuf [card.proto](../frontend/card.proto) file: It counts the days since the birthday (calculated from 1970-01-01). | ||
| All values of this field are valid, including the 0, which indicates that the birthday is on 1970-01-01. Birthdays before 1970-01-01 have negative values. |
There was a problem hiding this comment.
Potentially, it would be easier (for Koblenz and for debuggability) to use a ISO 8601 date string instead, but I'm fine with both :)
There was a problem hiding this comment.
I see your point, would keep it like this, so at least our code is consistent?
There was a problem hiding this comment.
ISO 8601 might be problematic because there are maybe multiple encodings of the same date. Not sure though. I'm just thinking about the "+Z" and "+00:00"
There was a problem hiding this comment.
i'm gonna keep the calculated birthday here if thats okay for everyone
Co-authored-by: Michael Markl <[email protected]>
backend/src/main/kotlin/app/ehrenamtskarte/backend/regions/database/Setup.kt
Show resolved
Hide resolved
backend/src/main/kotlin/app/ehrenamtskarte/backend/verification/Argon2IdHasher.kt
Outdated
Show resolved
Hide resolved
backend/src/main/kotlin/app/ehrenamtskarte/backend/verification/Argon2IdHasher.kt
Outdated
Show resolved
Hide resolved
| - The birthday is defined in our protobuf [card.proto](../frontend/card.proto) file: It counts the days since the birthday (calculated from 1970-01-01). | ||
| All values of this field are valid, including the 0, which indicates that the birthday is on 1970-01-01. Birthdays before 1970-01-01 have negative values. |
There was a problem hiding this comment.
ISO 8601 might be problematic because there are maybe multiple encodings of the same date. Not sure though. I'm just thinking about the "+Z" and "+00:00"
backend/src/main/kotlin/app/ehrenamtskarte/backend/verification/Argon2IdHasher.kt
Outdated
Show resolved
Hide resolved
|
Another approach would have been to hash on the client and just the data to the server for the lookup, right? |
|
I believe this endpoint should have some rate limiting as it might be a target for DoS (argon2id is costly). The alternative approach would be to generate the hash on the client. |
Not really possible, as we don't want that the client can decide what to write to the card. |
I believe we could still send the user data to the server and do the additional check only if we find the matching hash. Then the expensive argon2id/pbkdf verification only runs if the hash can be found. The user would still send the name, birthdate etc to the server. |
Will be done here: #1421 |
# Conflicts: # backend/src/main/kotlin/app/ehrenamtskarte/backend/cards/Argon2IdHasher.kt # backend/src/main/kotlin/app/ehrenamtskarte/backend/exception/service/NotCorrectProjectExceptions.kt # backend/src/test/kotlin/app/ehrenamtskarte/backend/cards/Argon2IdHasherTest.kt
backend/src/main/kotlin/app/ehrenamtskarte/backend/common/utils/Environment.kt
Show resolved
Hide resolved
backend/src/main/kotlin/app/ehrenamtskarte/backend/regions/database/Setup.kt
Outdated
Show resolved
Hide resolved
f1sh1918
force-pushed
the
1433-create-argon2-user-hashing-for-koblenz
branch
from
eaacbc7
to
396b4c4
Compare
|
Just updated the pr by adding a project config, adjusting hash and argon config in the docs. |
f1sh1918
force-pushed
the
1433-create-argon2-user-hashing-for-koblenz
branch
from
396b4c4
to
d3879e2
Compare
f1sh1918
force-pushed
the
1433-create-argon2-user-hashing-for-koblenz
branch
from
ba75f0c
to
c630dec
Compare
f1sh1918
force-pushed
the
1433-create-argon2-user-hashing-for-koblenz
branch
from
e8aa059
to
6695e76
Compare
backend/src/main/kotlin/app/ehrenamtskarte/backend/user/KoblenzUser.kt
Outdated
Show resolved
Hide resolved
I just noticed that this is also not possible, as the user would know the "secret salt/pepper" to generate the hash. So I think we can only do rate limiting. |
Short description
Add argon2 hashing for card info
Proposed changes
Resolved issues
Fixes: #1433