Remove argon2 password hashing

Author: msujew

package.json

@@ -59,7 +59,6 @@
   },
   "dependencies": {
     "@vscode/vscode-languagedetection": "1.0.15",
-    "argon2": "^0.28.2",
     "applicationinsights": "1.0.8",
     "chokidar": "3.5.1",
     "express": "^4.17.1",

src/vs/server/node/auth.ts

@@ -1,8 +1,6 @@
-import * as http from 'http';
 import * as crypto from 'crypto';
-import * as argon2 from 'argon2';
+import * as express from 'express';
 import { ServerParsedArgs } from 'vs/server/node/args';
-import { serveError } from 'vs/server/node/http';
 
 /** Ensures that the input is sanitized by checking
  * - it's a string
@@ -15,92 +13,39 @@ export function sanitizeString(str: string): string {
 	return typeof str === 'string' && str.trim().length > 0 ? str.trim() : '';
 }
 
-export const ensureAuthenticated = async (args: ServerParsedArgs, req: http.IncomingMessage, res: http.ServerResponse): Promise<boolean> => {
-	const isAuthenticated = await authenticated(args, req);
-	if (!isAuthenticated) {
-		serveError(req, res, 401, 'Unauthorized');
-	}
-	return isAuthenticated;
-};
-
 /**
  * Return true if authenticated via cookies.
  */
-export const authenticated = async (args: ServerParsedArgs, req: http.IncomingMessage): Promise<boolean> => {
+export const authenticated = async (args: ServerParsedArgs, req: express.Request): Promise<boolean> => {
 	if (!args.password && !args.hashedPassword) {
 		return true;
 	}
-	const passwordMethod = getPasswordMethod(args.hashedPassword);
-	const cookies = parseCookies(req);
 	const isCookieValidArgs: IsCookieValidArgs = {
-		passwordMethod,
-		cookieKey: sanitizeString(cookies.key),
-		passwordFromArgs: args.password || '',
-		hashedPasswordFromArgs: args.hashedPassword,
+		cookieKey: sanitizeString(req.cookies.key),
+		passwordFromArgs: args.password || ''
 	};
 
 	return await isCookieValid(isCookieValidArgs);
 };
 
-function parseCookies(request: http.IncomingMessage): Record<string, string> {
-	const cookies: Record<string, string> = {},
-		rc = request.headers.cookie;
-
-	// eslint-disable-next-line code-no-unused-expressions
-	rc && rc.split(';').forEach(cookie => {
-		let parts = cookie.split('=');
-		if (parts.length > 0) {
-			const name = parts.shift()!.trim();
-			let value = decodeURI(parts.join('='));
-			value = value.substring(1, value.length - 1);
-			cookies[name] = value;
-		}
-	});
-
-	return cookies;
-}
-
-export type PasswordMethod = 'ARGON2' | 'PLAIN_TEXT';
-
-/**
- * Used to determine the password method.
- *
- * There are three options for the return value:
- * 1. "SHA256" -> the legacy hashing algorithm
- * 2. "ARGON2" -> the newest hashing algorithm
- * 3. "PLAIN_TEXT" -> regular ol' password with no hashing
- *
- * @returns "ARGON2" | "PLAIN_TEXT"
- */
-export function getPasswordMethod(hashedPassword: string | undefined): PasswordMethod {
-	if (!hashedPassword) {
-		return 'PLAIN_TEXT';
-	}
-	return 'ARGON2';
-}
-
 type PasswordValidation = {
 	isPasswordValid: boolean
 	hashedPassword: string
 };
 
 type HandlePasswordValidationArgs = {
-	/** The PasswordMethod */
-	passwordMethod: PasswordMethod
 	/** The password provided by the user */
-	passwordFromRequestBody: string
+	passwordFromRequestBody: string | undefined
 	/** The password set in PASSWORD or config */
 	passwordFromArgs: string | undefined
-	/** The hashed-password set in HASHED_PASSWORD or config */
-	hashedPasswordFromArgs: string | undefined
 };
 
 function safeCompare(a: string, b: string): boolean {
 	if (b.length > a.length) {
-		a = a.padEnd(b.length);
+		a = a.padEnd(b.length, '0');
 	}
 	if (a.length > b.length) {
-		b = b.padEnd(a.length);
+		b = b.padEnd(a.length, '0');
 	}
 	return crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b));
 }
@@ -113,114 +58,44 @@ export const generatePassword = async (length = 24): Promise<string> => {
 	return buffer.toString('hex').substring(0, length);
 };
 
-/**
- * Used to hash the password.
- */
-export const hash = async (password: string): Promise<string> => {
-	try {
-		return await argon2.hash(password);
-	} catch (error) {
-		console.error(error);
-		return '';
-	}
-};
-
-/**
- * Used to verify if the password matches the hash
- */
-export const isHashMatch = async (password: string, hash: string) => {
-	if (password === '' || hash === '' || !hash.startsWith('$')) {
-		return false;
-	}
-	try {
-		return await argon2.verify(hash, password);
-	} catch (error) {
-		throw new Error(error);
-	}
-};
-
-/**
- * Used to hash the password using the sha256
- * algorithm. We only use this to for checking
- * the hashed-password set in the config.
- *
- * Kept for legacy reasons.
- */
-export const hashLegacy = (str: string): string => {
+export const hash = (str: string): string => {
 	return crypto.createHash('sha256').update(str).digest('hex');
 };
 
-/**
- * Used to check if the password matches the hash using
- * the hashLegacy function
- */
-export const isHashLegacyMatch = (password: string, hashPassword: string) => {
-	const hashedWithLegacy = hashLegacy(password);
+export const isHashMatch = (password: string, hashPassword: string) => {
+	const hashedWithLegacy = hash(password);
 	return safeCompare(hashedWithLegacy, hashPassword);
 };
 
-/**
- * Checks if a password is valid and also returns the hash
- * using the PasswordMethod
- */
 export async function handlePasswordValidation({
-	passwordMethod,
 	passwordFromArgs,
-	passwordFromRequestBody,
-	hashedPasswordFromArgs,
+	passwordFromRequestBody
 }: HandlePasswordValidationArgs): Promise<PasswordValidation> {
 	const passwordValidation: PasswordValidation = {
 		isPasswordValid: false,
 		hashedPassword: '',
 	};
 
-	switch (passwordMethod) {
-		case 'PLAIN_TEXT': {
-			const isValid = passwordFromArgs ? safeCompare(passwordFromRequestBody, passwordFromArgs) : false;
-			passwordValidation.isPasswordValid = isValid;
+	if (passwordFromRequestBody) {
+		const isValid = passwordFromArgs ? safeCompare(passwordFromRequestBody, passwordFromArgs) : false;
+		passwordValidation.isPasswordValid = isValid;
 
-			const hashedPassword = await hash(passwordFromRequestBody);
-			passwordValidation.hashedPassword = hashedPassword;
-			break;
-		}
-		case 'ARGON2': {
-			const isValid = await isHashMatch(passwordFromRequestBody, hashedPasswordFromArgs || '');
-			passwordValidation.isPasswordValid = isValid;
-
-			passwordValidation.hashedPassword = hashedPasswordFromArgs || '';
-			break;
-		}
-		default:
-			break;
+		const hashedPassword = hash(passwordFromRequestBody);
+		passwordValidation.hashedPassword = hashedPassword;
 	}
 
 	return passwordValidation;
 }
 
 export type IsCookieValidArgs = {
-	passwordMethod: PasswordMethod
 	cookieKey: string
-	hashedPasswordFromArgs: string | undefined
 	passwordFromArgs: string | undefined
 };
 
 /** Checks if a req.cookies.key is valid using the PasswordMethod */
 export async function isCookieValid({
 	passwordFromArgs = '',
-	cookieKey,
-	hashedPasswordFromArgs = '',
-	passwordMethod,
+	cookieKey
 }: IsCookieValidArgs): Promise<boolean> {
-	let isValid = false;
-	switch (passwordMethod) {
-		case 'PLAIN_TEXT':
-			isValid = await isHashMatch(passwordFromArgs, cookieKey);
-			break;
-		case 'ARGON2':
-			isValid = safeCompare(cookieKey, hashedPasswordFromArgs);
-			break;
-		default:
-			break;
-	}
-	return isValid;
+	return isHashMatch(passwordFromArgs, cookieKey);
 }

src/vs/server/node/server.main.ts

@@ -56,7 +56,8 @@ import { IGetEnvironmentDataArguments, IRemoteAgentEnvironmentDTO, IScanExtensio
 import { REMOTE_FILE_SYSTEM_CHANNEL_NAME } from 'vs/workbench/services/remote/common/remoteAgentFileSystemChannel';
 import { RemoteExtensionLogFileName } from 'vs/workbench/services/remote/common/remoteAgentService';
 import { args, devMode } from 'vs/server/node/args';
-import { handleHttp, IServerOptions, rawURITransformerFactory } from 'vs/server/node/server.http';
+import { handleHttp, rawURITransformerFactory } from 'vs/server/node/server.http';
+import { IServerOptions } from 'vs/server/node/server.opts';
 
 export type IRawURITransformerFactory = (remoteAuthority: string) => IRawURITransformer;
 export const IRawURITransformerFactory = createDecorator<IRawURITransformerFactory>('rawURITransformerFactory');
@@ -426,6 +427,13 @@ export async function main(options: IServerOptions): Promise<void> {
 		// Delay creation of spdlog for perf reasons (https://github.com/microsoft/vscode/issues/72906)
 		bufferLogService.logger = new SpdLogLogger('main', join(environmentService.logsPath, `${RemoteExtensionLogFileName}.log`), true, bufferLogService.getLevel());
 
-		handleHttp(options, instantiationService, logService, environmentService, onDidClientConnectEmitter, channelServer);
+		handleHttp({
+			serverOptions: options,
+			instantiationService,
+			logService,
+			environmentService,
+			onDidClientConnectEmitter,
+			channelServer
+		});
 	});
 }

src/vs/server/node/server.opts.ts

@@ -0,0 +1,25 @@
+import * as cp from 'child_process';
+import * as http from 'http';
+import { IDisposable } from 'vs/base/common/lifecycle';
+import { IPCServer } from 'vs/base/parts/ipc/common/ipc';
+import { ServicesAccessor } from 'vs/platform/instantiation/common/instantiation';
+import { ServiceCollection } from 'vs/platform/instantiation/common/serviceCollection';
+import { RemoteAgentConnectionContext } from 'vs/platform/remote/common/remoteAgentEnvironment';
+
+export interface IStartServerResult {
+	installingInitialExtensions?: Promise<void>
+}
+
+export interface IServerOptions {
+	port?: number;
+	main?: string
+	mainDev?: string
+	skipExtensions?: Set<string>
+	configure?(services: ServiceCollection, channelServer: IPCServer<RemoteAgentConnectionContext>): void
+	start?(accessor: ServicesAccessor, channelServer: IPCServer<RemoteAgentConnectionContext>): IStartServerResult | void
+
+	configureExtensionHostForkOptions?(opts: cp.ForkOptions, accessor: ServicesAccessor, channelServer: IPCServer<RemoteAgentConnectionContext>): void;
+	configureExtensionHostProcess?(extensionHost: cp.ChildProcess, accessor: ServicesAccessor, channelServer: IPCServer<RemoteAgentConnectionContext>): IDisposable;
+
+	handleRequest?(pathname: string | null, req: http.IncomingMessage, res: http.ServerResponse, accessor: ServicesAccessor, channelServer: IPCServer<RemoteAgentConnectionContext>): Promise<boolean>;
+}