argon_cffi is an immensely heavy package, a large part of this stemming from it's requirement of cffi which in turn requires an ENTIRE C COMPILER. This is not cffi's fault, as it is a massive library that is designed for all kinds of C-related things, and argon_cffi uses a very small portion of that. Still, it adds a lot of weight to the application which is designed to be quite lightweight. Additionally, argon_cffi uses it's own version of argon2, and I would trust libsodium more than it any day of the week given libsodium's current popularity.
Why pysodium?
pysodium is a very simple program, pretty much just making calls directly into libsodium. This means that any issues that may arise in the library will be derivative of libsodium, and thus we can rely on libsodium's team to properly patch and maintain it, without being too worried about if this python library will continue to be maintained.
Why INTERACTIVE mode for argon2?
After running benchmarks for all three modes, the decision simply came out of usability. In even MODERATE mode, the application slowed to a crawl and response times could be felt to be slower. Additionally, the build and test cycle became equally painful, and since Argon2 is a perfectly fine hashing strategy for the time being, I feel it's safe to keep in interactive mode.
Why did you remove the anti-username discovery code?
If people want to discover usernames, they can just try to sign up for that account and if it says "this username is already taken", then the username has been discovered.
Some questions people might have about this PR:
Why Not argon_cffi?
argon_cffi is an immensely heavy package, a large part of this stemming from it's requirement of cffi which in turn requires an ENTIRE C COMPILER. This is not cffi's fault, as it is a massive library that is designed for all kinds of C-related things, and argon_cffi uses a very small portion of that. Still, it adds a lot of weight to the application which is designed to be quite lightweight. Additionally, argon_cffi uses it's own version of argon2, and I would trust libsodium more than it any day of the week given libsodium's current popularity.
Why pysodium?
pysodium is a very simple program, pretty much just making calls directly into libsodium. This means that any issues that may arise in the library will be derivative of libsodium, and thus we can rely on libsodium's team to properly patch and maintain it, without being too worried about if this python library will continue to be maintained.
Why INTERACTIVE mode for argon2?
After running benchmarks for all three modes, the decision simply came out of usability. In even MODERATE mode, the application slowed to a crawl and response times could be felt to be slower. Additionally, the build and test cycle became equally painful, and since Argon2 is a perfectly fine hashing strategy for the time being, I feel it's safe to keep in interactive mode.
Why did you remove the anti-username discovery code?
If people want to discover usernames, they can just try to sign up for that account and if it says "this username is already taken", then the username has been discovered.