feat: real SCRAM-SHA-256 authentication (Option C)
Security: - New scram.nim module with full SCRAM-SHA-256 per RFC 7677 * PBKDF2-HMAC-SHA-256 key derivation * HMAC-SHA-256 with multiple overloads for bytes/strings * Secure nonce/salt generation via /dev/urandom * Client/server message parsing and proof verification AuthManager updates: - registerScramUser(): stores salted credentials (salt + iterations + storedKey + serverKey) - startScram(): initiates challenge-response handshake - finishScram(): verifies client proof and returns server signature - Legacy amSCRAMSHA256 path kept for backward compatibility HTTP endpoints: - POST /auth/scram/start — accepts client-first-message, returns server-first - POST /auth/scram/finish — accepts client-final-message, returns server-final Tests: - SCRAM-SHA-256 full handshake test (register → start → compute proof → finish) - SCRAM-SHA-256 invalid proof rejection test Build: 0 warnings, all tests pass
This commit is contained in:
@@ -104,7 +104,7 @@
|
||||
- Моделира sync между document/vector/graph/FTS индекси
|
||||
- Резултат: 10-ти TLA+ спек, пълно покритие на core модулите
|
||||
|
||||
### Опция C: Auth hardening + SCRAM (3-4 часа)
|
||||
### Опция C: Auth hardening + SCRAM ✅
|
||||
- Истински SCRAM-SHA-256 със salt, iteration count, challenge-response
|
||||
- Резултат: production-grade auth
|
||||
|
||||
|
||||
Reference in New Issue
Block a user