Upgrade legacy passwords to Pbkdf2 automatically upon next login
For Mastodon -> Pleroma migration #162 (closed) I've opened !2527 (merged) to allow logging in with bcrypt passwords. I've implemented it the exact same way it was done for GNU Social -> Pleroma, which is to detect the password type and use a different library depending on the type. This is meant to be a temporary measure within the existing system.
I think we ideally want the passwords to get upgraded to Pbkdf2 the next time the user logs in. It should detect when a GNU Social or Mastodon password is entered, and after validating a match, create a new Pbkdf2 hash from the plaintext password and update the record in the database.
This is better for a number of reasons. One is just for consistency. The other is that it seems some functions call Pbkdf2 directly instead of going through AuthenticationPlug.checkpw()
. For example, Pleroma.BBS.Authenticator
will not work unless the password is upgraded to a Pbkdf2 hash. Just do a search for Pbkdf2.verify_hash
and you'll find others.