Plaintext passwords in auth config block are now prohibited

Author: proofrock

ROAD_TO_WS4SQL.md

@@ -6,17 +6,26 @@ The version in this branch is a work in progress to add features and (unfortunat
 
 ## Changes
 
+### Breaking changes
+
+- When running the app, the config files must be specified on the command line, the file paths cannot be used anymore (there). This is described in the "Migration" section below. The file path is in the config file.
+  - The only exception is a "simple case" to serve a file path without any config. This can be done with the new `--quick-db` parameter.
+- Hashed passwords in auth config must now be hashed with BCrypt, not SHA256.
+- Plain text passwords are not permitted anymore, in auth config.
+
+### Major features
+
 - SQLite is embedded via [mattn/go-sqlite3](https://github.com/mattn/go-sqlite3) and CGO. Should be way faster.
 - Support for DuckDB (see below).
-- [**BREAKING CHANGE**] When running the app, the config files must be specified on the command line, the file paths cannot be used anymore (there). This is described in the "Migration" section below. The file path is in the config file.
-  - The only exception is a "simple case" to serve a file path without any config. This can be done with the new `--quick-db` parameter.
-- [**BREAKING CHANGE**] Hashed passwords in auth config must now be hashed with BCrypt, not SHA256.
-- Fail fast if the request is empty, don't even attempt to authenticate.
 - Target platforms (because of CGO) are now 4 (`win/amd64`, `macos/arm64`, `linux/amd64`, `linux/arm64`).
   - For Docker, `linux/amd64` and `linux/arm64`.
 - Docker images are now based on `distroless/static-debian12`.
 - Docker images are now hosted on Github's Container Registry.
 
+### Minor changes
+
+- Fail fast if the request is empty, don't even attempt to authenticate.
+
 ## Migration
 
 - For any `--db` and `--mem-db` switch that was used, an explicit YAML config file must be created. The format is the same, but there is a new section at the beginning:
@@ -31,7 +40,8 @@ database:
   readOnly: false       # Same as before, but moved here.
 ```
 
-- For any hashed password previously specified in an `auth` block, the hash must be BCrypt, not SHA256.
+- For any hashed password (`HashedPassword = ...`) previously specified in an `auth` block, the hash must be BCrypt, not SHA256.
+- For any plain text password (`Password = ...`), convert  in `HashedPassword`, also using BCrypt.
 
 ## Specific to DuckDB
 

src/authentication.go

@@ -119,16 +119,6 @@ func parseAuth(db *structs.Db) {
 			if cred.User == "" {
 				mllog.Fatal("no user for credential")
 			}
-			if (cred.HashedPassword == "") == (cred.Password == "") {
-				mllog.Fatal("one and only one of 'password' and 'hashedPassword' must be specified")
-			}
-			// Populates the cleartext password cache, so that there is only one
-			// point where the password is stored in clear text.
-			// If the password is specified as a BCrypt hash, it will be cached
-			// when the BCrypt "puzzle" is solved for the first time.
-			if cred.Password != "" {
-				cred.ClearTextPassword.Store([]byte(cred.Password))
-			}
 		}
 		mllog.StdOutf("  + Authentication enabled, with %d credentials", len(auth.ByCredentials))
 	}

src/authentication_test.go

@@ -55,8 +55,8 @@ func TestSetupAuthCreds(t *testing.T) {
 					Mode: "INLINE",
 					ByCredentials: []structs.CredentialsCfg{
 						{
-							User:     "pietro",
-							Password: "hey",
+							User:           "pietro",
+							HashedPassword: "$2b$12$Xo7tQh0BDzDAiPghc7AU1Ocx2MnGls46Ot55y4MQNtPRhK0nemyWq", // "hey"
 						},
 						{
 							User:           "paolo",
@@ -348,8 +348,8 @@ func TestBASetupAuthCreds(t *testing.T) {
 					Mode: "HTTP",
 					ByCredentials: []structs.CredentialsCfg{
 						{
-							User:     "pietro",
-							Password: "hey",
+							User:           "pietro",
+							HashedPassword: "$2b$12$Xo7tQh0BDzDAiPghc7AU1Ocx2MnGls46Ot55y4MQNtPRhK0nemyWq", // "hey"
 						},
 						{
 							User:           "paolo",
@@ -580,8 +580,8 @@ func TestCustomCodeSetup(t *testing.T) {
 					CustomErrorCode: &errCode,
 					ByCredentials: []structs.CredentialsCfg{
 						{
-							User:     "pietro",
-							Password: "hey",
+							User:           "pietro",
+							HashedPassword: "$2b$12$Xo7tQh0BDzDAiPghc7AU1Ocx2MnGls46Ot55y4MQNtPRhK0nemyWq", // "hey"
 						},
 						{
 							User:           "paolo",

src/cli_test.go

@@ -91,10 +91,8 @@ func TestConfigs(t *testing.T) {
 	assert(t, cfgdb.Auth.ByQuery == "", "the db has ByQuery with a value")
 	assert(t, len(cfgdb.Auth.ByCredentials) == 2, "the db has not the correct number of credentials")
 	assert(t, cfgdb.Auth.ByCredentials[0].User == "myUser1", "the db has not the correct first user")
-	assert(t, cfgdb.Auth.ByCredentials[0].Password == "myHotPassword", "the db has not the correct first password")
 	assert(t, cfgdb.Auth.ByCredentials[0].HashedPassword == "", "the db has not the correct first hashed password")
 	assert(t, cfgdb.Auth.ByCredentials[1].User == "myUser2", "the db has not the correct second user")
-	assert(t, cfgdb.Auth.ByCredentials[1].Password == "", "the db has not the correct second password")
 	assert(t, len(cfgdb.Auth.ByCredentials[1].HashedPassword) == 64, "the db has not the correct second hashed password")
 	assert(t, *cfgdb.DatabaseDef.DisableWALMode, "the db has not the correct WAL mode")
 	assert(t, cfgdb.DatabaseDef.ReadOnly, "the db has not the correct ReadOnly value")

src/structs/configFile.go

@@ -38,11 +38,9 @@ type ScheduledTask struct {
 
 type CredentialsCfg struct {
 	User           string `yaml:"user"`
-	Password       string `yaml:"password"`
 	HashedPassword string `yaml:"hashedPassword"`
-	// This is a cache: it's the Password if specified in cleartext, or
-	// gets populated with the cleartext password when the hashed one is
-	// checked.
+	// This is a cache: it gets populated with the cleartext
+	// password when the hashed one is checked.
 	ClearTextPassword atomic.Value
 }