[question] (Re)setting password without mail server/via cli?

[hatkidchan]

I recently had to migrate my server and forgot to back up password salt which made every account unusable. I found an sqlite database that contains user data, but I'm not sure how to change passwords properly with other salt. I know that you can reset password via email, but that's not gonna work for me because it's a local server without mail server configured. How should I reset my passwords?

[hatkidchan]

Oh actually, nevermind. It was quite easy to do:
First you have to set your password salt to any known value.
Then you use bcrypt on your password with salt appended. You can use htpasswd -nbB USER "${PASSWORD}${SALT}" | sed 's/USER://' to do that
And then you just update it in the database using UPDATE users SET password = "<value-from-previous-step>" WHERE id = "your-username";

But tbh it would be nice to have some sort of admin cli tools. Or am I missing something out and there's such a thing already?

[muety]

Hi @hatkidchan, glad you managed to find a solution yourself! Otherwise, I was gonna suggest the exact same procedure. Currently, there is no such thing as a CLI, but I agree that it would be useful to have. I'll add this as a feature request. See #411.

[muety]

Also, I added your solution to https://github.com/muety/wakapi/wiki/FAQs.

[gacekssj4]

Hello @muety It does not work. Maybe password hashing was changed since this post?

[hatkidchan]

@gacekssj4 what version you're on? I've tested it on 2.3.8 and it seems to work for me

[gacekssj4]

@hatkidchan 2.10.2
I use salt generated by start.sh script

SALT="MYSECRETSALTSTRING_32CHARS"
echo $SALT
docker run -d \
  -p 8669:3000 \
  -e "WAKAPI_PASSWORD_SALT=$SALT" \
  -v /docker/wakapi/data:/data \
  --name wakapi \
  --restart unless-stopped \
  ghcr.io/muety/wakapi:latest

[hatkidchan]

Since 35ef323 they migrated to Argon2, so my "solution" doesn't work anymore. You can try looking up how to rehash password using it, but I myself have no clue

[gacekssj4]

Thanks for hint! FAQ is outdated then :)

[hatkidchan]

echo -n "new password" | argon2 -id "$SALT" should do the trick, haven't tested though

[muety]

Let me know if that works. If yes, I'll update the FAQs!

[hatkidchan]

I'm staying on pre-argon2id version for the time being, not sure how smooth migration process is. @muety should be fine to just reinstall it to the latest with the older SQLite database file? I'll wait for @gacekssj4 to share their results with rehashing

[muety]

Since version 2.8.0, new users will have Argon2-hashed passwords, but Bcrypt password are still supported. Regardless of this, I'd recommend to update to the latest version (because newer is usually better 😉). You can simply pull the new version and boot it up. It will perform all required database migrations, etc., so (in theory) no need for manual action. However, please still make sure to backup your database before the update - just in case.

[gacekssj4]

Tried. Can't make it work. Not with argon2id nor with bcrypt
echo -n "mypass" | argon2 myhashstring -id (parameters should be at end)

Also, in database earlier I had string starting with $argon2id$v=19$m=65536,t=1,p=2
And argon is now creating different parameters.

So maybe it's a matter of parameters.

BCrypt created random string, Argon creates same string every time.

I also tried echo -n "mypass!" | argon2 myhashstring -id -t 1 -k 65536 -p 2
To produce same result as previously stored value $argon2id$v=19$m=65536,t=1,p=2

I create salt outside of docker. Maybe real salt is created based on it when docker starts and in reality it's different?
Any way to check current hash directly from program? Docker logs does not mention it (assume for sec reasons)

[hatkidchan]

Couldn't make it work with argon2, tried lots of options (argon2, argon2i, argon2id), but my argon2 binary only has support for 13th version max, while wakapi uses v19. Not sure if that's a big problem, but I just couldn't make it work. Maybe since Bcrypt is still supported, you can try using it to log in at first and then reset password within wakapi web UI itself. That did work for me, but not sure if that'll work for everyone.

[hatkidchan]

@gacekssj4

Maybe real salt is created based on it when docker starts and in reality it's different?

docker inspect wakapi-wakapi-1 | grep SALT works for me

[gacekssj4]

@hatkidchan It's same. I never pgorammed in go. So either there is some additional hashing or I'm doing something wrong.

[hatkidchan]

I think I figured it out, you have to append salt to the password AND use it in argon2
Testing it now

[hatkidchan]

Yes! printf "%s%s" "$PASSWORD" "$SALT" | argon2 "$SALT" -id -e gives you a valid hash!

[muety]

you have to append salt to the password AND use it in argon2

Yeah, sorry, should have mentioned that. You can find the relevant piece of code here.

Terminology is a bit confusing here. What Wakapi refers to as a salt is actually a pepper, while the salt is usually randomly generated for every user and stored in the database alongside the hash. See this post for details.

So in Wakapi, pepper is identical for all users, while salt is random and differs for every user. I'd adapt your above command to this:

printf "%s%s" "$PASSWORD" "$SALT" | argon2 $(openssl rand -hex 16) -id -e

[muety]

Updated the FAQ.

[gacekssj4]

Don't get it. I cannot make it work.

I created completely new user (user3). Set him new password. This user works.

So I copied new user password to old user (user1). It's same in database. Password created by app.

Funny thing is, when I set this password for other user (user2) it works. So basically it's more like user does not work, and not password.

Just now... i tried logging again and it works. But this time i hit login button instead of "Enter/return" button. No idea, maybe password manager in browser was not working. No idea.
Setting password seems to also work, so I think it might be some browser/password manager issue on my side...

Thank you both for your help!

[muety]

The user is being cached in memory for a while after once loaded (i.e. after log in). If you change a user attribute in the database manually without restarting the server, the change will not take effect.