security: migrate token hashing from SHA256 to Argon2id (#55)

* docs: add DCO, governance model, roles, vulnerability credit policy * security: migrate token hashing from SHA256 to Argon2id - Replace unsalted SHA256 with Argon2id (salted) for API token hashing - Fix TOCTOU race: replace exists()+read() with read()+match on error - Set chmod 600 on token files and 700 on token storage directory - Auto-migrate legacy SHA256 tokens to Argon2id on first verification - Add regression tests: argon2 format, legacy migration, file permissions
2026-04-12 09:10:32 +00:00 · 2026-03-25 01:56:43 +03:00
parent 975264c353
commit 432e8d35af
5 changed files with 254 additions and 52 deletions
--- a/nora-registry/Cargo.toml
+++ b/nora-registry/Cargo.toml
@@ -49,6 +49,7 @@ tower_governor = "0.8"
 governor = "0.10"
 parking_lot = "0.12"
 zeroize = { version = "1.8", features = ["derive"] }
+argon2 = { version = "0.5", features = ["std", "rand"] }
 tower-http = { version = "0.6", features = ["set-header"] }

 [dev-dependencies]