Password hashing process is hard-coded and can't be modified in any kind. There are cases where we do need control on how password is hashed:
Current flow is that user is fetched and then password is checked. But we don't want DB to return user at all, until we are 100% password is right. So we need to first, hash password and query by matching hashed passwords.
Other simple example is that application may have some requirements on hashing algorithms.
Confirming/Recovering tokens :envelope:
Reasons for unhardcoding this part:
For easier and better testing we need ability to mock token, selector, verifier
We need tokens to look shorter/prettier for some reason
Problematic part :red_circle: :
authboss.go has a public helper function VerifyPassword, that now works only if we use default Hasher. a todo item is left there in comments, explaining the issue
Problem
Password hashing :hash:
Password hashing process is hard-coded and can't be modified in any kind. There are cases where we do need control on how password is hashed:
Confirming/Recovering tokens :envelope:
Reasons for unhardcoding this part:
Problematic part :red_circle: :
authboss.go
has a public helper functionVerifyPassword
, that now works only if we use defaultHasher
. a todo item is left there in comments, explaining the issueFixes #319, #288