Force using 128 bites salt for password hasher

1 files changed, 17 insertions, 0 deletions

diff --git a/ishtar_common/utils.py b/ishtar_common/utils.py
index 12ab2e646..3a3c53853 100644
--- a/ishtar_common/utils.py
+++ b/ishtar_common/utils.py
@@ -28,6 +28,7 @@ from importlib import import_module
 import io
 from jinja2 import Template
 import locale
+import math
 import os
 import random
 import re
@@ -48,6 +49,7 @@ from django.apps import apps
 from django.conf import settings
 from django.conf.urls import url
 from django.contrib.auth.models import Permission
+from django.contrib.auth.hashers import Argon2PasswordHasher as BaseArgon2PasswordHasher
 from django.contrib.contenttypes.models import ContentType
 from django.contrib.gis.geos import GEOSGeometry
 from django.contrib.sessions.backends.db import SessionStore
@@ -60,6 +62,7 @@ from django.core.validators import EMPTY_VALUES
 from django.urls import reverse
 from django.db import models
 from django.http import HttpResponseRedirect
+from django.utils.crypto import get_random_string
 from django.utils.datastructures import MultiValueDict as BaseMultiValueDict
 from django.utils.safestring import mark_safe
 from django.template.defaultfilters import slugify
@@ -2290,3 +2293,17 @@ class EachCharacterTypeValidator:
         ) + ", ".join(
             [str(character_type[0]) for character_type in self.character_types]
         ) + str(_("."))
+
+
+# picked from Django 3.2 to assure 128 bites salt - should be removed on upgrade
+class Argon2PasswordHasher(BaseArgon2PasswordHasher):
+    salt_entropy = 128
+    RANDOM_STRING_CHARS = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
+
+    def salt(self):
+        """
+        Generate a cryptographically secure nonce salt in ASCII with an entropy
+        of at least `salt_entropy` bits.
+        """
+        char_count = math.ceil(self.salt_entropy / math.log2(len(self.RANDOM_STRING_CHARS)))
+        return get_random_string(char_count, allowed_chars=self.RANDOM_STRING_CHARS)