dimgigov
|
ac55237b72
|
feat: real SCRAM-SHA-256 authentication (Option C)
Security:
- New scram.nim module with full SCRAM-SHA-256 per RFC 7677
* PBKDF2-HMAC-SHA-256 key derivation
* HMAC-SHA-256 with multiple overloads for bytes/strings
* Secure nonce/salt generation via /dev/urandom
* Client/server message parsing and proof verification
AuthManager updates:
- registerScramUser(): stores salted credentials (salt + iterations + storedKey + serverKey)
- startScram(): initiates challenge-response handshake
- finishScram(): verifies client proof and returns server signature
- Legacy amSCRAMSHA256 path kept for backward compatibility
HTTP endpoints:
- POST /auth/scram/start — accepts client-first-message, returns server-first
- POST /auth/scram/finish — accepts client-final-message, returns server-final
Tests:
- SCRAM-SHA-256 full handshake test (register → start → compute proof → finish)
- SCRAM-SHA-256 invalid proof rejection test
Build: 0 warnings, all tests pass
|
2026-05-13 09:50:07 +03:00 |
|