Issue warning to folks using old sha256 hashed password #3560
Comments
jsjoeio
added
enhancement
|
I've tried to use argon2 but apparently it needs salt. But when I use salt, code-server cannot verify it. |
|
Hmm...that doesn't seem right. Can you provide steps to reproduce? |
|
Sorry my bad, I tried to use instead of But probably will help if someone encounters similar issue. |
|
You have to use VideoHere's how you can do it: Screen.Recording.2021-08-10.at.1.55.39.PM.mov |
|
I don't know what's under the hood, but it works with argon2. |
|
Ah, interesting! Maybe I was using it wrong before but hey, glad that works then 🙌 |
|
I for one would love to be able to figure out (or retrieve) the session token! Either from the password, or from the code-server configuration files. So far no luck getting anything to match up to the cookie! Code-Server v3.12.0 |
|
So the user declares the password in the code-server config file. The password is then hashed and sent back in the response to the client and stored as a cookie. Here is the logic: https://github.com/coder/code-server/blob/main/src/node/routes/login.ts#L87 |
|
Though I declare the password in an environment variable ($PASSWORD) in a docker instance. One small step... leading to another. |
|
@antofthy well keep an eye on any argon2 issues. If it does change, we should be able to add backwards-compatibility. You'll know though from the release notes |
|
Merging with #3546 |
@jawnsy had a great idea:
See: #3422 (comment)
Will look at after: #3422
The text was updated successfully, but these errors were encountered: