taiars/nora
1
0
Fork 0
mirror of https://github.com/getnora-io/nora.git synced 2026-04-12 06:50:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: migrate token hashing from SHA256 to Argon2id (#55)

Browse Source 
* docs: add DCO, governance model, roles, vulnerability credit policy

* security: migrate token hashing from SHA256 to Argon2id

- Replace unsalted SHA256 with Argon2id (salted) for API token hashing
- Fix TOCTOU race: replace exists()+read() with read()+match on error
- Set chmod 600 on token files and 700 on token storage directory
- Auto-migrate legacy SHA256 tokens to Argon2id on first verification
- Add regression tests: argon2 format, legacy migration, file permissions
This commit is contained in:
DevITWay | Pavel Volkov
2026-03-25 01:56:43 +03:00
committed by GitHub
parent 975264c353
commit 432e8d35af
5 changed files with 254 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
SECURITY.md
View File

@@ -50,4 +50,6 @@ When deploying NORA:
## Acknowledgments
We appreciate responsible disclosure and will acknowledge security researchers who report valid vulnerabilities.
We appreciate responsible disclosure and will acknowledge security researchers who report valid vulnerabilities in our release notes and CHANGELOG, unless the reporter requests anonymity.
If you have previously reported a vulnerability and would like to be credited, please let us know.