Open heguro opened 1 year ago
Indeed! The "real" PDS instance in Typescript (at https://github.com/bluesky-social/atproto) uses scrypt
for password hashing.
Right now the PDS implementation in golang ("laputa") is not useful for much beyond automated testing. In a testing context we want to be able to create and login many "fake" accounts quickly, so we probably wouldn't accept a patch to add proper password hashing unless there was an easy way to disable it.
This isn't a priority at the moment, but absolutely would be a blocking issue for this implementation to become real self-hosting option.
Just to ensure there isn't duplicate work on this, @erka has a nice PR to add hashing (https://github.com/bluesky-social/indigo/pull/109). We are not likely to review and merge that for a couple weeks, but it looks like it will resolve this issue.
By default, raw passwords are stored in
data/laputa/pds.sqlite
. I think we should use password-hashing or something.