Update password hash stuff, totp impl

Move password encryption to argon2id

auth-new/password.go

@@ -1,12 +1,14 @@
 package auth
 
 import (
+	"bytes"
+	"crypto/rand"
 	"time"
 
 	"git.mstar.dev/mstar/goutils/other"
 	"git.mstar.dev/mstar/goutils/sliceutils"
 	"github.com/google/uuid"
-	"golang.org/x/crypto/bcrypt"
+	"golang.org/x/crypto/argon2"
 	"gorm.io/gorm"
 	"gorm.io/gorm/clause"
 
@@ -14,12 +16,31 @@ import (
 	"git.mstar.dev/mstar/linstrom/storage-new/models"
 )
 
+const saltLen = 32
+
+func generateSalt(length int) ([]byte, error) {
+	salt := make([]byte, length)
+	if _, err := rand.Read(salt); err != nil {
+		return nil, err
+	}
+	return salt, nil
+}
+
 func hashPassword(password string) ([]byte, error) {
-	return bcrypt.GenerateFromPassword([]byte(password), 14)
+	salt, err := generateSalt(saltLen)
+	if err != nil {
+		return nil, err
+	}
+	hash := argon2.IDKey([]byte(password), salt, 1, 64*1024, 4, 32)
+	hash = append(hash, salt...)
+	// return bcrypt.GenerateFromPassword([]byte(password), 14)
+	return hash, nil
 }
 
 func comparePassword(password string, hash []byte) bool {
-	return bcrypt.CompareHashAndPassword(hash, []byte(password)) == nil
+	salt := hash[len(hash)-saltLen:]
+
+	return bytes.Equal(argon2.IDKey([]byte(password), salt, 1, 64*1024, 4, 32), hash)
 }
 
 // Start a login process with a username (NOT account ID) and password