adcc3fddc7
Password hashing migrated from bcrypt to Argon2id (m=64MiB, t=3, p=4). Transparent upgrade: on successful bcrypt login, re-hashes with Argon2id and persists. New signups and password changes use Argon2id directly. Unifies crypto stack — Argon2id was already used for TOTP and backup KDF. Bitcoin RPC password: no longer falls back to hardcoded "archipelago123". On first boot, generates a random 32-char hex password from CSPRNG, saves to /var/lib/archipelago/secrets/bitcoin-rpc-password with 0600 permissions. Existing installs with secrets file are unaffected. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
73 lines
2.5 KiB
Rust
73 lines
2.5 KiB
Rust
//! Shared Bitcoin RPC credential management.
|
|
//! Reads credentials from the per-installation secrets file, falling back to
|
|
//! environment variables, then a dev-only default.
|
|
|
|
use tokio::sync::OnceCell;
|
|
use tracing::debug;
|
|
|
|
const SECRETS_PATH: &str = "/var/lib/archipelago/secrets/bitcoin-rpc-password";
|
|
const DEFAULT_USER: &str = "archipelago";
|
|
|
|
static CACHED_PASSWORD: OnceCell<String> = OnceCell::const_new();
|
|
|
|
/// Read the Bitcoin RPC password from the secrets file, env var, or dev fallback.
|
|
async fn read_password() -> String {
|
|
// 1. Try secrets file (production path)
|
|
if let Ok(pass) = tokio::fs::read_to_string(SECRETS_PATH).await {
|
|
let pass = pass.trim().to_string();
|
|
if !pass.is_empty() {
|
|
debug!("Bitcoin RPC password loaded from secrets file");
|
|
return pass;
|
|
}
|
|
}
|
|
|
|
// 2. Try environment variable
|
|
if let Ok(pass) = std::env::var("BITCOIN_RPC_PASSWORD") {
|
|
if !pass.is_empty() {
|
|
debug!("Bitcoin RPC password loaded from env var");
|
|
return pass;
|
|
}
|
|
}
|
|
|
|
// 3. Generate a random password and persist it (first-boot provisioning)
|
|
let random_pass = generate_random_password();
|
|
if let Some(parent) = std::path::Path::new(SECRETS_PATH).parent() {
|
|
let _ = tokio::fs::create_dir_all(parent).await;
|
|
}
|
|
match tokio::fs::write(SECRETS_PATH, &random_pass).await {
|
|
Ok(_) => {
|
|
// Restrict permissions to owner-only
|
|
#[cfg(unix)]
|
|
{
|
|
use std::os::unix::fs::PermissionsExt;
|
|
let _ = std::fs::set_permissions(SECRETS_PATH, std::fs::Permissions::from_mode(0o600));
|
|
}
|
|
debug!("Bitcoin RPC password: generated and saved to secrets file");
|
|
}
|
|
Err(e) => {
|
|
tracing::warn!("Failed to save generated Bitcoin RPC password: {} — using ephemeral", e);
|
|
}
|
|
}
|
|
random_pass
|
|
}
|
|
|
|
/// Generate a cryptographically random password for Bitcoin RPC (32 hex chars).
|
|
fn generate_random_password() -> String {
|
|
let bytes: [u8; 16] = rand::random();
|
|
hex::encode(bytes)
|
|
}
|
|
|
|
/// Get Bitcoin RPC credentials (user, password). Cached after first call.
|
|
pub async fn bitcoin_rpc_credentials() -> (String, String) {
|
|
let pass = CACHED_PASSWORD
|
|
.get_or_init(|| async { read_password().await })
|
|
.await;
|
|
(DEFAULT_USER.to_string(), pass.clone())
|
|
}
|
|
|
|
/// Get the Bitcoin RPC password as a plain string (for config generation).
|
|
pub async fn bitcoin_rpc_password() -> String {
|
|
let (_, pass) = bitcoin_rpc_credentials().await;
|
|
pass
|
|
}
|