Internal Email/password based authentication

[AlexGilleran]

Description

Currently you have to plug Magda into some other auth provider in order to have user accounts / authentication.

This:

• Makes it hard to setup for new users
  • In particular, it prevents us from having a working admin account from day 1
• Forces a dependency on another service
• Isn't really appropriate for users who can't integrate with an existing trusted SSO service, but also don't want to use something like Google or Facebook.

So it's time to provide our own username (or email) and password authentication.

Acceptance Criteria

• An administrator with technical skills and access to the DB (i.e. one of us, or someone else who's set magda up) should be able to create a new user and set a password for them. This doesn't need to be via the UI (it can be a command-line tool that just connects direct to the DB for the first pass)
• An administrator (as above) should be able to reset the password (once again, this could be via a CLI tool)
• The password should be properly hashed #️⃣ and salted 🧂 - see OWASP, Troy Hunt guides on doing this properly.
• This new login method should be available through the UI to the user
• The login in the UI should have a "Forgot your password? Email mailto: link

Out of Scope

• Changing passwords through the UI
• Resetting passwords through the UI
• "I forgot my password" button
• Strong password requirements (initially it'll only be us using it, I trust you not to set the password to "password" unless it doesn't matter)

Technical Notes

• Ideally this could just be another plugin for passport, along with the data.gov.au one, vanguard one etc etc etc
• Hopefully someone's done something like this before in OSS land and we can just steal reuse it.
• Keep everything in magda-core for now. Building it straight into the gateway is also fine if that's easier, we can pull it out later.

[t83714]

Will use bcrypt password hasing function to generate hash.
It uses Blowfish (which is slow and defence GPU / FPGA brutal-force attack well) internally and modular crypt format (MCF) is used to encode the hashing string.
The salting round uses (default 10 increased to 12 as suggested by owasp) which should be slow enough.
Let me know if any thoughts on this @AlexGilleran

[AlexGilleran]

Seems fine to me - just make sure that it takes the same amount of time whether you get the email/password wrong or right :)

[t83714]

bcrypt generally isn't susceptible to timing attacks especially our case attacker can't do offline cracking 😄
Many people discussed on the time attack topic on bcrypt see here and here