fix(postinst): thorough audit - fix argon2 salt and verify all password generation logic

chore: bump version to 1.1.6 (#56 )
2026-06-09 08:42:33 -05:00 · 2026-06-09 08:21:20 -05:00
1 changed files with 4 additions and 1 deletions
--- a/debian/postinst
+++ b/debian/postinst
@ -207,8 +207,11 @@ generate_admin_password() {
    admin_password=$(openssl rand -base64 32 | tr -dc 'A-Za-z0-9!@#%^&*' | head -c 24)

    # Hash with argon2 (PHC format, compatible with the application)
+    # Generate a random 16-character salt (argon2 requires minimum 8 characters)
+    local admin_salt
+    admin_salt=$(openssl rand -base64 24 | tr -dc 'A-Za-z0-9' | head -c 16)
    local password_hash
-    password_hash=$(echo -n "${admin_password}" | argon2 salt -id -t 3 -m 16 -p 1 -l 32 -e)
+    password_hash=$(echo -n "${admin_password}" | argon2 "${admin_salt}" -id -t 3 -m 16 -p 1 -l 32 -e)

    # Update admin user password in database
    # Only update if the placeholder hash is still present
Author	SHA1	Message	Date
Draco-Lunaris-Echo	4c02b778c0	fix(postinst): thorough audit - fix argon2 salt and verify all password generation logic	2026-06-09 08:42:33 -05:00
Draco-Lunaris-Echo	0c0f952f7f	chore: bump version to 1.1.6 (#56 ) Some checks failed CI Pipeline / Rust Format Check (push) Successful in 3s CI Pipeline / Clippy Lints (push) Successful in 53s CI Pipeline / Rust Unit Tests (push) Failing after 1m27s CI Pipeline / Security Audit (push) Successful in 4s CI Pipeline / Frontend Lint & Type Check (push) Successful in 15s CI Pipeline / Build .deb & Release (push) Has been skipped	2026-06-09 08:21:20 -05:00