Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

caddyauth: Speed up basicauth provision, deprecate scrypt #4720

Merged
merged 3 commits into from
Sep 5, 2022

Conversation

francislavoie
Copy link
Member

@francislavoie francislavoie commented Apr 22, 2022

When provisioning basicauth, there's a big performance hit on loading/reloading configs because it calculates a fake password; we don't need to do this on-the-fly, it's totally fine to hash the password once offline and just hardcode it.

I did change the Hasher interface unfortunately because it's really the cleanest way to implement this, but I'm not aware of any plugins that implement another hashing algorithm anyways, so the breaking change should probably be fine.


FWIW I still think we should drop scrypt altogether, and stop using base64-encoded strings.

I don't see any compelling reason to keep scrypt, it has way too many knobs, and having the salt not being built-in makes it very error prone to use correctly. See https://passlib.readthedocs.io/en/stable/lib/passlib.hash.scrypt.html for example, which discourages its use.

And no need for base64 because bcrypt already uses a safe string format (called Modular Crypt Format), so we're just base64 encoding an already-ASCII string which just obfuscates the configured work factor (which is plainly visible in the bcrypt header). For example, the bcrypt I hard-coded in here, base64 decoded, is $2a$14$X3ulqf/iGxnf1k6oMZ.RZeJUoqI9PX2PM4rS5lkIKJXduLGXGPrt6 which you can clearly see at the start $14 which means the work factor is 14. That's its only config knob, and can tell you if it's time to re-hash the passwords if that work factor is now too weak (14 is still ridiculously strong, arguably way too high for a webserver, see https://twitter.com/TychoTithonus/status/1546270126730723329 and above).

@francislavoie francislavoie requested a review from mholt April 22, 2022 02:21
@francislavoie francislavoie added the optimization 📉 Performance or cost improvements label Apr 22, 2022
@francislavoie francislavoie force-pushed the faster-basicauth-provision branch 2 times, most recently from 161d6f6 to fd96647 Compare April 22, 2022 02:58
@francislavoie
Copy link
Member Author

I decided to make the commit to deprecate scrypt and add support for Modular Crypt Format for bcrypt (and caddy hash-password now outputs them in that format, without the redundant base64).

This is a big UX simplification and avoids a lot of potential footguns that scrypt carries.

@francislavoie francislavoie changed the title caddyauth: Speed up basicauth provisioning, precalculate fake password caddyauth: Speed up basicauth provision, deprecate scrypt Apr 22, 2022
@francislavoie francislavoie force-pushed the faster-basicauth-provision branch from e6f83c8 to da828d2 Compare July 12, 2022 04:01
@mholt mholt modified the milestone: v2.5.3 Jul 12, 2022
@francislavoie francislavoie force-pushed the faster-basicauth-provision branch from da828d2 to f45baa4 Compare August 23, 2022 05:33
@francislavoie
Copy link
Member Author

@mholt can I bump this up your queue? I'd really like to get this in for 2.6.0 betas, since it involves a deprecation and a significant performance fix.

@mholt
Copy link
Member

mholt commented Aug 23, 2022

Yeah. But events first :)

Copy link
Member

@mholt mholt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just a nit so I don't forget later to remove the cruft.

We'll document that scrypt is being deprecated and may be removed in the future -- not because it's broken, just because the config surface isn't ideal for our use case. Maybe I'll move it into a separate plugin repo later.

modules/caddyhttp/caddyauth/basicauth.go Show resolved Hide resolved
@francislavoie francislavoie force-pushed the faster-basicauth-provision branch from d2d103a to 537125d Compare September 5, 2022 19:22
Copy link
Member

@mholt mholt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool. Thank you! Sorry it took me a while to get around to this.

@mholt mholt merged commit 6e3063b into master Sep 5, 2022
@mholt mholt deleted the faster-basicauth-provision branch September 5, 2022 19:33
@mholt mholt modified the milestones: v2.6.0-beta.1, v2.6.0 Sep 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
optimization 📉 Performance or cost improvements
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants