chore: Remove custom salt for a better security we generate

CHANGELOG.md

@@ -11,7 +11,6 @@
 - [AUTOCONF] Add new `NAMESPACES` environment variable to allow setting the namespaces to watch for the autoconf feature which makes it possible to use multiple autoconf instances in the same cluster while keeping the configuration separated
 - [UI] Start refactoring the UI to make it more modular and easier to maintain with migration from Jinja to Vue.js
 - [UI] Add a `remember me` feature to the login page so that the user can stay logged in for a longer period of time (expires after 31 days)
-- [UI] Add new `PASSWORD_SALT` setting to allow setting a custom salt for the password hashing (default is generated via bcrypt)
 - [UI] Add new `TOTP_SECRETS` setting to encrypt the TOTP secrets in the database (if not set, we generate a random amount of secrets via passlib.totp) - ⚠ We highly recommend setting this setting to a custom value to prevent the secrets from being erased when the volumes are deleted
 - [UI] Add new `MF_RECOVERY_CODES_KEYS` and `MF_ENCRYPT_RECOVERY_CODES` settings to allow setting the encryption keys for the recovery codes and to enable/disable the encryption of the recovery codes (default is yes and if no keys are set, we generate random keys via cryptography.fernet.Fernet) - ⚠ We highly recommend setting these settings to custom values to prevent the recovery codes from being erased when the volumes are deleted
 - [UI] Start adding roles and permissions to the UI to allow different users to have different permissions in a multi-user environment for the near future

src/ui/main.py

@@ -18,7 +18,6 @@ for deps_path in [join(sep, "usr", "share", "bunkerweb", *paths) for paths in ((
     if deps_path not in sys_path:
         sys_path.append(deps_path)
 
-from bcrypt import gensalt
 from bs4 import BeautifulSoup
 from copy import deepcopy
 from cryptography.fernet import Fernet
@@ -125,15 +124,6 @@ with app.app_context():
             TMP_DIR.joinpath(".flask_secret").write_text(token_urlsafe(32), encoding="utf-8")
         FLASK_SECRET = TMP_DIR.joinpath(".flask_secret").read_text(encoding="utf-8").strip()
 
-    PASSWORD_SALT = getenv("PASSWORD_SALT", "")
-    if not PASSWORD_SALT.isdigit():
-        if not LIB_DIR.joinpath(".password_salt").is_file():
-            app.logger.warning(
-                "The PASSWORD_SALT environment variable is missing or invalid (must be an integer) or the .password_salt file is missing, generating a random one ..."
-            )
-            LIB_DIR.joinpath(".password_salt").write_bytes(gensalt(rounds=13))
-        PASSWORD_SALT = LIB_DIR.joinpath(".password_salt").read_text(encoding="utf-8").strip()
-
     TOTP_SECRETS = getenv("TOTP_SECRETS", "")
     if TOTP_SECRETS:
         try:
@@ -257,7 +247,7 @@ with app.app_context():
                             "The admin password is not strong enough. It must contain at least 8 characters, including at least 1 uppercase letter, 1 lowercase letter, 1 number and 1 special character (#@?!$%^&*-). It will not be updated."
                         )
                     else:
-                        ADMIN_USER["password"] = gen_password_hash(env_admin_password, PASSWORD_SALT)
+                        ADMIN_USER["password"] = gen_password_hash(env_admin_password)
                         updated = True
 
                 if updated:
@@ -283,7 +273,7 @@ with app.app_context():
                 )
                 exit(1)
 
-        ret = DB.create_ui_user(user_name, gen_password_hash(env_admin_password, PASSWORD_SALT), ["admin"], admin=True)
+        ret = DB.create_ui_user(user_name, gen_password_hash(env_admin_password), ["admin"], admin=True)
         if ret:
             app.logger.error(f"Couldn't create the admin user in the database: {ret}")
             exit(1)
@@ -760,9 +750,7 @@ def setup():
                     "setup",
                 )
 
-            ret = DB.create_ui_user(
-                request.form["admin_username"], gen_password_hash(request.form["admin_password"], PASSWORD_SALT), ["admin"], method="ui", admin=True
-            )
+            ret = DB.create_ui_user(request.form["admin_username"], gen_password_hash(request.form["admin_password"]), ["admin"], method="ui", admin=True)
             if ret:
                 return handle_error(f"Couldn't create the admin user in the database: {ret}", "setup", False, "error")
 
@@ -1048,7 +1036,7 @@ def account():
 
         ret = DB.update_ui_user(
             username,
-            gen_password_hash(password, PASSWORD_SALT),
+            gen_password_hash(password),
             totp_secret,
             totp_recovery_codes=totp_recovery_codes,
             method=current_user.method if request.form["operation"] == "totp" else "ui",

src/ui/ui_database.py

@@ -1,6 +1,6 @@
 from datetime import datetime
 from logging import Logger
-from os import getenv, sep
+from os import sep
 from os.path import join
 from sys import path as sys_path
 from time import sleep
@@ -109,15 +109,10 @@ class UIDatabase(Database):
                     row = {column: getattr(row, column) for column in Base.metadata.tables[table_name].columns.keys() if hasattr(row, column)}
 
                     if table_name == "bw_ui_users" and two_factor_enabled is not None:
-                        message = "Detected old user model, as we implemented advanced security in the new model (custom salt for passwords, totp, etc.)"
-                        if row["method"] == "ui":
-                            self.logger.warning(message + ", you will have to re create the admin user.")
-                            continue
-                        elif getenv("PASSWORD_SALT", "").isdigit():
-                            self.logger.warning(message + " and you specified a custom PASSWORD_SALT, you will have to re create the admin user.")
-                            continue
-                        elif two_factor_enabled:
-                            self.logger.warning(message + ", you will have to re set the two factor authentication for the admin user.")
+                        if two_factor_enabled:
+                            self.logger.warning(
+                                "Detected old user model, as we implemented advanced security in the new model (custom salt for passwords, totp, etc.), you will have to re set the two factor authentication for the admin user."
+                            )
                         row["admin"] = True
 
                     with self._db_session() as session:

src/ui/utils.py

@@ -6,7 +6,7 @@ from os.path import join
 from threading import Lock
 from typing import List, Optional
 
-from bcrypt import checkpw, hashpw
+from bcrypt import checkpw, gensalt, hashpw
 from magic import Magic
 from qrcode.main import QRCode
 from regex import compile as re_compile
@@ -215,8 +215,8 @@ def check_settings(settings: dict, check: str) -> bool:
     return any(setting["context"] == check for setting in settings.values())
 
 
-def gen_password_hash(password: str, salt: str) -> bytes:
-    return hashpw(password.encode("utf-8"), salt.encode("utf-8"))
+def gen_password_hash(password: str) -> bytes:
+    return hashpw(password.encode("utf-8"), gensalt(rounds=13))
 
 
 def check_password(password: str, hashed: bytes) -> bool: