feat: migrate argon2 secure password hashing from dev branch

Author: LIghtJUNction

astrbot/core/utils/auth_password.py

@@ -5,6 +5,14 @@
 import re
 import secrets
 
+try:
+    import argon2.exceptions as argon2_exceptions
+    from argon2 import PasswordHasher
+
+    _PASSWORD_HASHER = PasswordHasher()
+except ImportError:
+    _PASSWORD_HASHER = None
+
 _PBKDF2_ITERATIONS = 600_000
 _PBKDF2_SALT_BYTES = 16
 _PBKDF2_ALGORITHM = "pbkdf2_sha256"
@@ -15,10 +23,16 @@
 
 
 def hash_dashboard_password(raw_password: str) -> str:
-    """Return a salted hash for dashboard password using PBKDF2-HMAC-SHA256."""
+    """Return a salted hash for dashboard password using Argon2 (if available) or PBKDF2-HMAC-SHA256 fallback."""
     if not isinstance(raw_password, str) or raw_password == "":
         raise ValueError("Password cannot be empty")
 
+    if _PASSWORD_HASHER is not None:
+        try:
+            return _PASSWORD_HASHER.hash(raw_password)
+        except Exception as e:
+            raise ValueError(f"Failed to hash password securely (argon2): {e!s}")
+
     salt = secrets.token_hex(_PBKDF2_SALT_BYTES)
     digest = hashlib.pbkdf2_hmac(
         "sha256",
@@ -65,21 +79,24 @@ def _is_pbkdf2_hash(stored: str) -> bool:
     return isinstance(stored, str) and stored.startswith(_PBKDF2_FORMAT)
 
 
+def _is_argon2_hash(stored: str) -> bool:
+    return isinstance(stored, str) and stored.startswith("$argon2")
+
+
 def verify_dashboard_password(stored_hash: str, candidate_password: str) -> bool:
-    """Verify password against legacy md5 or new PBKDF2-SHA256 format."""
+    """Verify password against legacy md5, new PBKDF2-SHA256 format, or Argon2."""
     if not isinstance(stored_hash, str) or not isinstance(candidate_password, str):
         return False
 
-    if _is_legacy_md5_hash(stored_hash):
-        # Keep compatibility with existing md5-based deployments:
-        # new clients send plain password, old clients may send md5 of it.
-        candidate_md5 = hashlib.md5(candidate_password.encode("utf-8")).hexdigest()
-        return hmac.compare_digest(
-            stored_hash.lower(), candidate_md5.lower()
-        ) or hmac.compare_digest(
-            stored_hash.lower(),
-            candidate_password.lower(),
-        )
+    if _is_argon2_hash(stored_hash):
+        if _PASSWORD_HASHER is None:
+            return False
+        try:
+            return _PASSWORD_HASHER.verify(stored_hash, candidate_password)
+        except argon2_exceptions.VerifyMismatchError:
+            return False
+        except Exception:
+            return False
 
     if _is_pbkdf2_hash(stored_hash):
         parts: list[str] = stored_hash.split("$")
@@ -100,6 +117,28 @@ def verify_dashboard_password(stored_hash: str, candidate_password: str) -> bool
         )
         return hmac.compare_digest(stored_key, candidate_key)
 
+    if _is_legacy_md5_hash(stored_hash):
+        # Keep compatibility with existing md5-based deployments:
+        # new clients send plain password, old clients may send md5 of it.
+        candidate_md5 = hashlib.md5(candidate_password.encode("utf-8")).hexdigest()
+        return hmac.compare_digest(
+            stored_hash.lower(), candidate_md5.lower()
+        ) or hmac.compare_digest(
+            stored_hash.lower(),
+            candidate_password.lower(),
+        )
+
+    # Legacy SHA-256 fallback compatibility (from dev branch)
+    if len(stored_hash) == 64 and all(
+        c in "0123456789abcdefABCDEF" for c in stored_hash
+    ):
+        candidate_sha256 = hashlib.sha256(
+            candidate_password.encode("utf-8")
+        ).hexdigest()
+        return hmac.compare_digest(
+            stored_hash.lower(), candidate_sha256.lower()
+        ) or hmac.compare_digest(stored_hash.lower(), candidate_password.lower())
+
     return False
 
 
@@ -109,5 +148,13 @@ def is_default_dashboard_password(stored_hash: str) -> bool:
 
 
 def is_legacy_dashboard_password(stored_hash: str) -> bool:
-    """Check whether the password is still stored with legacy MD5."""
-    return _is_legacy_md5_hash(stored_hash)
+    """Check whether the password is still stored with legacy MD5 or plain SHA256."""
+    if not isinstance(stored_hash, str) or not stored_hash:
+        return False
+    if _is_legacy_md5_hash(stored_hash):
+        return True
+    if len(stored_hash) == 64 and all(
+        c in "0123456789abcdefABCDEF" for c in stored_hash
+    ):
+        return True
+    return False

pyproject.toml

@@ -58,6 +58,7 @@ dependencies = [
   "click>=8.2.1",
   "pypdf>=6.1.1",
   "aiofiles>=25.1.0",
+  "argon2-cffi>=23.1.0",
   "rank-bm25>=0.2.2",
   "jieba>=0.42.1",
   "markitdown-no-magika[docx,xls,xlsx]>=0.1.2",

requirements.txt

@@ -56,4 +56,5 @@ tenacity>=9.1.2
 shipyard-python-sdk>=0.2.4
 shipyard-neo-sdk>=0.2.0
 packaging>=24.2
-qrcode>=8.2
+qrcode>=8.2
+argon2-cffi>=23.1.0