feat: configurable default KDF type for new user registrations#6983
Open
dnplkndll wants to merge 1 commit intodani-garcia:mainfrom
Open
feat: configurable default KDF type for new user registrations#6983dnplkndll wants to merge 1 commit intodani-garcia:mainfrom
dnplkndll wants to merge 1 commit intodani-garcia:mainfrom
Conversation
Add CLIENT_KDF_TYPE, CLIENT_KDF_ITERATIONS, CLIENT_KDF_MEMORY, and CLIENT_KDF_PARALLELISM environment variables to allow server admins to set the default KDF for new user registrations. Currently the default KDF is hardcoded to PBKDF2 with 600,000 iterations. Argon2id is memory-hard and significantly more resistant to GPU-based brute-force attacks, but admins have no way to set it as the default without modifying source code. Existing users are unaffected and can change their KDF in account settings. Setting CLIENT_KDF_TYPE=1 enables Argon2id with sensible defaults (3 iterations, 64MB memory, 4 parallelism). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
CLIENT_KDF_TYPE,CLIENT_KDF_ITERATIONS,CLIENT_KDF_MEMORY, andCLIENT_KDF_PARALLELISMenvironment variables to allow server admins to configure the default KDF for new user registrations.Closes #6982
Motivation
The default KDF is currently hardcoded to PBKDF2 with 600,000 iterations. Argon2id is memory-hard and significantly more resistant to GPU-based brute-force attacks, but admins have no way to set it as the default without modifying source code. This is particularly important for self-hosted family/team instances where users are unlikely to change their KDF settings manually.
Changes
src/config.rs— Add 4 config entries with input validation matching existing Argon2id parameter validationsrc/db/models/user.rs— Replace hardcodedCLIENT_KDF_TYPE_DEFAULT/CLIENT_KDF_ITER_DEFAULTconstants with config-backed functions. Automatically uses sensible Argon2id defaults (3 iterations, 64MB, 4 parallelism) whenCLIENT_KDF_TYPE=1src/api/core/accounts.rs— Use config values for prelogin response when email is not found (previously hardcoded to PBKDF2).env.template— Document new variablesBackwards Compatibility
Testing
Tested on a self-hosted instance with
CLIENT_KDF_TYPE=1:{"kdf": 1, "kdfIterations": 3, "kdfMemory": 64, "kdfParallelism": 4}for unknown emailsExample
That's it — sensible Argon2id defaults are applied automatically.