Issue warning to folks using old sha256 hashed password

[jsjoeio]

@jawnsy had a great idea:

I'm not sure where in the code to put it, but it would be nice to issue a warning if someone is using the plain text/cookie/sha256 methods to tell them that their authentication method is insecure, and to consider upgrading to argon2.

See: #3422 (comment)

Will look at after: #3422

[finzzz]

I've tried to use argon2 but apparently it needs salt. But when I use salt, code-server cannot verify it.

[jsjoeio]

Hmm...that doesn't seem right. Can you provide steps to reproduce?

[finzzz]

Sorry my bad, I tried to use

echo "password" | argon2 passphrase -e

instead of

echo -n "password" | argon2 passphrase -e

But probably will help if someone encounters similar issue.

[jsjoeio]

You have to use argon2-cli because that's what code-server uses under the hood. I don't think argon2 will work because it uses a different hashing algorithm compared to argon2 the npm package (unless it changed and it does work, but that would be new to me).

Video

Here's how you can do it:

Screen.Recording.2021-08-10.at.1.55.39.PM.mov

[finzzz]

I don't know what's under the hood, but it works with argon2.

[jsjoeio]

Ah, interesting! Maybe I was using it wrong before but hey, glad that works then 🙌

[antofthy]

I for one would love to be able to figure out (or retrieve) the session token! Either from the password, or from the code-server configuration files. So far no luck getting anything to match up to the cookie! Code-Server v3.12.0

[jsjoeio]

So the user declares the password in the code-server config file. The password is then hashed and sent back in the response to the client and stored as a cookie. Here is the logic: https://github.com/coder/code-server/blob/main/src/node/routes/login.ts#L87

[antofthy]

Though I declare the password in an environment variable ($PASSWORD) in a docker instance.
But after some experiments I validated the URL encoded value of the 'key' cookie, to the given password.
As such if the cookie can be preset set for that website, I should be able to auto-initialise the login for a already authenticated user.

One small step... leading to another.
Of course if the hashing method changes that all gets broken!