Merge pull request 'Use argon2 for password hashing' (#47) from argon2-hashing into main

Author: Sporiff

pom.xml

@@ -200,6 +200,11 @@
             <classifier>jakarta</classifier>
             <version>${querydsl.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcpkix-jdk18on</artifactId>
+            <version>1.76</version>
+        </dependency>
 
     </dependencies>
 

src/main/java/org/openpodcastapi/opa/config/SecurityConfig.java

@@ -15,7 +15,7 @@
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.userdetails.UserDetailsService;
-import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.argon2.Argon2PasswordEncoder;
 import org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.SecurityFilterChain;
@@ -121,8 +121,8 @@ public SecurityFilterChain webSecurity(HttpSecurity http) {
     ///
     /// @return a configured password encoder
     @Bean
-    public BCryptPasswordEncoder passwordEncoder() {
-        return new BCryptPasswordEncoder();
+    public Argon2PasswordEncoder passwordEncoder() {
+        return Argon2PasswordEncoder.defaultsForSpringSecurity_v5_8();
     }
 
     /// An authentication provider for password-based authentication
@@ -132,7 +132,7 @@ public BCryptPasswordEncoder passwordEncoder() {
     /// @return the configured authentication provider
     @Bean
     public DaoAuthenticationProvider daoAuthenticationProvider(UserDetailsService userDetailsService,
-                                                               BCryptPasswordEncoder passwordEncoder) {
+                                                               Argon2PasswordEncoder passwordEncoder) {
         final var provider = new DaoAuthenticationProvider(userDetailsService);
         provider.setPasswordEncoder(passwordEncoder);
         return provider;

src/main/java/org/openpodcastapi/opa/security/TokenService.java

@@ -4,7 +4,7 @@
 import io.jsonwebtoken.security.Keys;
 import org.openpodcastapi.opa.user.UserEntity;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.argon2.Argon2PasswordEncoder;
 import org.springframework.stereotype.Service;
 
 import javax.crypto.SecretKey;
@@ -18,7 +18,7 @@
 public class TokenService {
 
     private final RefreshTokenRepository repository;
-    private final BCryptPasswordEncoder passwordEncoder;
+    private final Argon2PasswordEncoder passwordEncoder;
     // The secret string used to generate secret keys
     @Value("${jwt.secret}")
     private String secret;
@@ -35,7 +35,7 @@ public class TokenService {
     ///
     /// @param repository      the refresh token repository for token interaction
     /// @param passwordEncoder the password encoder for encoding tokens
-    public TokenService(RefreshTokenRepository repository, BCryptPasswordEncoder passwordEncoder) {
+    public TokenService(RefreshTokenRepository repository, Argon2PasswordEncoder passwordEncoder) {
         this.repository = repository;
         this.passwordEncoder = passwordEncoder;
     }

src/main/java/org/openpodcastapi/opa/user/UserService.java

@@ -6,7 +6,7 @@
 import org.openpodcastapi.opa.pagination.CursorUtility;
 import org.slf4j.Logger;
 import org.springframework.dao.DataIntegrityViolationException;
-import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.argon2.Argon2PasswordEncoder;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
@@ -23,15 +23,15 @@ public class UserService {
     private final UserRepository repository;
     private final CursorRepository cursorRepository;
     private final UserMapper mapper;
-    private final BCryptPasswordEncoder passwordEncoder;
+    private final Argon2PasswordEncoder passwordEncoder;
 
     /// Required-args constructor
     ///
     /// @param repository       the user repository used for user interactions
     /// @param cursorRepository the cursor repository used for paginated requests
     /// @param mapper           the user mapper used to map user entities and DTOs
     /// @param passwordEncoder  the password encoder used to handle user passwords
-    public UserService(UserRepository repository, CursorRepository cursorRepository, UserMapper mapper, BCryptPasswordEncoder passwordEncoder) {
+    public UserService(UserRepository repository, CursorRepository cursorRepository, UserMapper mapper, Argon2PasswordEncoder passwordEncoder) {
         this.repository = repository;
         this.cursorRepository = cursorRepository;
         this.mapper = mapper;

src/main/java/org/openpodcastapi/opa/util/AdminUserInitializer.java

@@ -8,7 +8,7 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.ApplicationArguments;
 import org.springframework.boot.ApplicationRunner;
-import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.argon2.Argon2PasswordEncoder;
 import org.springframework.stereotype.Component;
 
 import java.util.Set;
@@ -20,7 +20,7 @@
 public class AdminUserInitializer implements ApplicationRunner {
     private static final Logger log = getLogger(AdminUserInitializer.class);
     private final UserRepository userRepository;
-    private final BCryptPasswordEncoder encoder;
+    private final Argon2PasswordEncoder encoder;
     @Value("${admin.username}")
     private String username;
     @Value("${admin.password}")
@@ -32,7 +32,7 @@ public class AdminUserInitializer implements ApplicationRunner {
     ///
     /// @param userRepository the user repository used for user interactions
     /// @param encoder        the password encoder used to encrypt the admin password
-    public AdminUserInitializer(UserRepository userRepository, BCryptPasswordEncoder encoder) {
+    public AdminUserInitializer(UserRepository userRepository, Argon2PasswordEncoder encoder) {
         this.userRepository = userRepository;
         this.encoder = encoder;
     }

src/test/java/org/openpodcastapi/opa/auth/AuthApiTest.java

@@ -11,7 +11,7 @@
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.boot.webmvc.test.autoconfigure.AutoConfigureMockMvc;
 import org.springframework.http.MediaType;
-import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.argon2.Argon2PasswordEncoder;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.web.servlet.MockMvc;
 
@@ -34,7 +34,7 @@ class AuthApiTest {
     @Autowired
     MockMvc mockMvc;
     @Autowired
-    private BCryptPasswordEncoder passwordEncoder;
+    private Argon2PasswordEncoder passwordEncoder;
     @Autowired
     private UserRepository userRepository;
     @Autowired

src/test/java/org/openpodcastapi/opa/subscriptions/SubscriptionRestControllerTest.java

@@ -16,7 +16,7 @@
 import org.springframework.boot.webmvc.test.autoconfigure.AutoConfigureMockMvc;
 import org.springframework.http.MediaType;
 import org.springframework.restdocs.payload.JsonFieldType;
-import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.argon2.Argon2PasswordEncoder;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.web.servlet.MockMvc;
 import tools.jackson.databind.json.JsonMapper;
@@ -62,7 +62,7 @@ class SubscriptionRestControllerTest {
     private FeedRepository feedRepository;
 
     @Autowired
-    private BCryptPasswordEncoder passwordEncoder;
+    private Argon2PasswordEncoder passwordEncoder;
 
     private UserEntity mockUser;
 

src/test/java/org/openpodcastapi/opa/user/UserRestControllerTest.java

@@ -9,7 +9,7 @@
 import org.springframework.boot.webmvc.test.autoconfigure.AutoConfigureMockMvc;
 import org.springframework.http.MediaType;
 import org.springframework.restdocs.payload.JsonFieldType;
-import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.argon2.Argon2PasswordEncoder;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.web.servlet.MockMvc;
 
@@ -42,7 +42,7 @@ class UserRestControllerTest {
     private UserRepository userRepository;
 
     @Autowired
-    private BCryptPasswordEncoder passwordEncoder;
+    private Argon2PasswordEncoder passwordEncoder;
 
     @Autowired
     private UserMapper userMapper;