Re: [PR] fix:optimize code and update dependencies [incubator-hugegraph]

Wed, 17 Dec 2025 20:28:33 -0800 


imbajin commented on code in PR #2918:
URL: 
https://github.com/apache/incubator-hugegraph/pull/2918#discussion_r2629503244


##########
install-dist/release-docs/LICENSE:
##########
@@ -651,6 +651,7 @@ The text of each license is also included in 
licenses/LICENSE-[project].txt.
     https://central.sonatype.com/artifact/org.lz4/lz4-java/1.4.0 -> Apache 2.0
     https://central.sonatype.com/artifact/org.lz4/lz4-java/1.7.1 -> Apache 2.0
     https://central.sonatype.com/artifact/org.lz4/lz4-java/1.8.0 -> Apache 2.0

Review Comment:
   remove 1.8.0?



##########
hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/auth/StandardAuthManager.java:
##########
@@ -580,6 +580,7 @@ public HugeUser matchUser(String name, String password) {
         }
 
         if (StringEncoding.checkPassword(password, user.password())) {
+            // TODO: rehash password if bcrypt work factor is lower than 
expected

Review Comment:
   **‼️ Critical: Missing security upgrade for existing users**
   
   The bcrypt work factor is being increased from 4 to 10, but there's no 
migration strategy for existing password hashes. The TODO comment suggests 
awareness of this issue but provides no implementation.
   
   **Problem:**
   - Existing users with old hashes (work factor 4) remain vulnerable
   - No automatic rehashing on successful login
   - No admin tool to force password rehash
   
   **Suggestion:**
   Implement automatic password upgrade on successful authentication:
   
   ```suggestion
           if (StringEncoding.checkPassword(password, user.password())) {
               // Rehash password if bcrypt work factor is lower than expected
               if (requiresRehash(user.password())) {
                   String newHash = StringEncoding.hashPassword(password);
                   user.password(newHash);
                   this.save(user);
               }
               this.pwdCache.update(user.id(), password);
               return user;
           }
   ```
   
   Add helper method:
   ```java
   private boolean requiresRehash(String hashedPassword) {
       // Extract work factor from bcrypt hash (format: a$<rounds>$...)
       String[] parts = hashedPassword.split("\\$");
       if (parts.length >= 3) {
           int workFactor = Integer.parseInt(parts[2]);
           return workFactor < 10;
       }
       return false;
   }
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to