dandri/matrix-authentication-service
1
0
Fork 0
mirror of https://github.com/element-hq/matrix-authentication-service.git synced 2026-04-28 12:46:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

Allow applying unicode normalisation to passwords before hashing

Browse Source
This commit is contained in:
Quentin Gliech
2025-05-30 15:33:34 +02:00
parent b229cb8018
commit 40cb052d1f
18 changed files with 128 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/config.schema.json
+4
View File
@@ -1613,6 +1613,10 @@
}
]
},
"unicode_normalization": {
"description": "Whether to apply Unicode normalization to the password before hashing\n\nDefaults to `false`, and generally recommended to stay false. This is although recommended when importing password hashs from Synapse, as it applies an NFKC normalization to the password before hashing it.",
"type": "boolean"
},
"cost": {
"description": "Cost for the bcrypt algorithm",
"default": 12,
docs/setup/migration.md
+2 -1
View File
@@ -47,7 +47,7 @@ When using this tool, be careful to examine the log output for any warnings abou
#### Local passwords
Synapse uses bcrypt as its password hashing scheme, while MAS defaults to using the newer argon2id.
You will have to configure the version 1 scheme as bcrypt for migrated passwords to work.
You will have to configure the version 1 scheme as bcrypt with `unicode_normalization: true` for migrated passwords to work.
It is also recommended that you keep argon2id as version 2 so that once users log in, their hashes will be updated to the newer, recommended scheme.
Example passwords configuration:
@@ -57,6 +57,7 @@ passwords:
schemes:
- version: 1
algorithm: bcrypt
unicode_normalization: true
# Optional, must match the `password_config.pepper` in the Synapse config
#secret: secretPepperValue
- version: 2