diff --git a/docs/guide/advanced/passwordless-api.md b/docs/guide/advanced/passwordless-api.md index 8e6fb76..ae28bf2 100644 --- a/docs/guide/advanced/passwordless-api.md +++ b/docs/guide/advanced/passwordless-api.md @@ -6,17 +6,21 @@ If you're worried about sending your credentials into the wild, you can also mak ## Signature token -Your secret signature token will be a string like `1002a612b4` +Your secret signature token will be a 32 character string like `4ea59aab37f6df0755a6da98ee5ca85d`. -A secret signature token is unique, associated to one account, and can be used only for API requests. It cannot be used to log in your YOURLS setup. You will find it in the Tools page of your YOURLS install. +A secret signature token is unique, associated to one account, and can be used only for API requests. It cannot be used to +log in your YOURLS setup. You will find it in the Tools page of your YOURLS install. -**NB**: Can't see this signature on the Tools page? It's probably because your install is public. Therefore, you don't use a login and password to use it. Therefore there's no signature token to be used instead of a login/password pair. +**NB**: Can't see this signature on the Tools page? It's probably because your install is public. Therefore, you don't use a +login and password to use it. Therefore there's no signature token to be used instead of a login/password pair. + +If you know what you are doing, you can customize the signature length or even content with filters `auth_signature_length` and `auth_signature`. ## Usage of the signature token Use parameter `signature` in your API requests. Example: -`https://yoursite/yourls-api.php?signature=1002a612b4&action=...` +`https://yoursite/yourls-api.php?signature=4ea59aab37f6df0755a6da98ee5ca85d&action=...` ## Usage of a time limited signature token @@ -27,15 +31,17 @@ First, craft the time limited signature token: ```php ``` -Now use parameters `signature` and `timestamp` in your API requests. Example: +The hash must be one of `sha256`, `sha384` or `sha512`, unless explicitly allowed by a plugin via +the `allowed_hash_algos` filter. + +Now use parameters `signature`, `timestamp` and `hash` in your API requests. Example: -`https://yoursite/yourls-api.php?timestamp=$timestamp&signature=$signature&action=...` +`https://yoursite/yourls-api.php?timestamp=$timestamp&signature=$signature&hash=sha256&action=...` This URL would be valid for only 43200 seconds (12 hours), the default value of constant `YOURLS_NONCE_LIFE`. @@ -43,20 +49,6 @@ To modify this duration, add the following to your `config.php`: `define( 'YOURLS_NONCE_LIFE', number_of_seconds );` (note this also affect all the internal links of YOURLS such as the ones to activate a plugin, delete a short URL, etc.) -### Use other hash algorithms than `md5` - -From YOURLS 1.7.7 you can use any hash function instead of `md5()`. Simply add the `hash=` argument to your API request, for instance: - -```php - -``` - -Now use `https://yoursite/yourls-api.php?timestamp=$timestamp&signature=$signature&hash=sha512&action=...` - **NB**: if you try to use a hash algorithm that your setup doesn't support, you will get a simple authentication error as if the timestamp or signature were incorrect. ## Reset your secret signature token diff --git a/docs/guide/essentials/credentials.md b/docs/guide/essentials/credentials.md index 93861eb..6ca4302 100644 --- a/docs/guide/essentials/credentials.md +++ b/docs/guide/essentials/credentials.md @@ -4,11 +4,11 @@ In `config.php`, the variable `$yourls_user_passwords` shall contain an array of usernames and passwords. -To improve security and user experience, YOURLS 1.7+ **automatically encrypts** these passwords within your config file. +To improve security and user experience, YOURLS **automatically encrypts** these passwords within your config file. ## Editing login & passwords in `config.php` -Edit and save your config file with an array of simple `key => value` associations like the followings: +Edit and save your config file with an array of simple `key => value` associations like the following: One login/password: @@ -33,7 +33,8 @@ $yourls_user_passwords = array( ## Password auto-encryption -Next time you'll run YOURLS, this array will be rewritten, replacing plain text passwords with encrypted and undecipherable hashes. If you check now your `config.php`, you should see something like: +Next time you'll run YOURLS, this array will be rewritten, replacing plain text passwords with encrypted and +undecipherable hashes. If you check now your `config.php`, you should see something like: ```php _Could not auto-encrypt passwords. Error was: "cannot write file"._ -Your config file is probably locked for reading and or writing (eg _chmoded_), which can be a good security practice. Temporarily lift that restriction (`chmod 0666 config.php`), load a YOURLS page again, then `chmod` it back. +Your config file is probably locked for reading and or writing (eg _chmoded_), which can be a good security practice. In a terminal console, note +the original _chmod_ (`stat -c "%a" config.php`), temporarily lift that restriction (`chmod 0666 config.php`), load a YOURLS page again, +then `chmod` it back to the original value (for example `chmod 600 config.php`). -If for some reason you cannot get it working, see **manual MD5 encryption** below +### I have an error message: "_Password stored as MD5 hash_" + +If your `config.php` contains password encrypted the old way with `md5()`, you should consider using more robust hashes. + +To do so: simply replace the string `md5:<5 digits>:<32 chars>` with your password in clear text, load a YOURLS page again. Everything should be now encrypted. ### Why hash passwords? -Storing your password as a crypted hash is more secure: if someone has access to your `config.php`, they won't be able to determine what your password is and won't be able to log in your setup. The drawback is that if you forget your own password, you cannot retrieve it: see below. +Storing your password as a encrypted hash is more secure: if someone has access to your `config.php`, they won't be able to determine what your password is and won't be able to log in your setup. The drawback is that if you forget your own password, you cannot retrieve it: see below. ### I don't remember my password / I want to change it Simply edit your `config.php` and write a new password in clear text. Next time you'll load YOURLS, it will be encrypted again. -### Manual MD5 encryption - -If you prefer, you can manually encrypt passswords using a MD5 salted hash of the following structure: - -`md5:< salt of 5 digits >:< md5 of salt + password >` - -A PHP example to generate an encrypted password would be: - -```php - value` associations with encrypted passwords looks like the following: - -```php - 'md5:71688:0ce43474167f743b7b92d046ae970801', -); -``` - -Hashes using MD5 are slightly less secure than using native YOURLS encryption, but still way better than plain text passwords. - ### I don't want to encrypt my password If for some reason you'd rather keep your password unencrypted and in plain text in your config, simply add the following at the end of your `config.php`: diff --git a/package-lock.json b/package-lock.json index 4cb3602..0dbbb04 100644 --- a/package-lock.json +++ b/package-lock.json @@ -7,7 +7,6 @@ "dependencies": { "@mdx-js/react": "^3.1.1", "clsx": "^2.1.1", - "md5": "^2.3.0", "prism-react-renderer": "^2.4.1", "react": "^19.2.6", "react-dom": "^19.2.6" @@ -8226,15 +8225,6 @@ "url": "https://github.com/sponsors/wooorm" } }, - "node_modules/charenc": { - "version": "0.0.2", - "resolved": "https://registry.npmjs.org/charenc/-/charenc-0.0.2.tgz", - "integrity": "sha512-yrLQ/yVUFXkzg7EDQsPieE/53+0RlaWTs+wBrvW36cyilJ2SaDWfl4Yj7MtLTXleV9uEKefbAGUPv2/iWSooRA==", - "license": "BSD-3-Clause", - "engines": { - "node": "*" - } - }, "node_modules/cheerio": { "version": "1.0.0-rc.12", "resolved": "https://registry.npmjs.org/cheerio/-/cheerio-1.0.0-rc.12.tgz", @@ -8854,15 +8844,6 @@ "node": ">= 8" } }, - "node_modules/crypt": { - "version": "0.0.2", - "resolved": "https://registry.npmjs.org/crypt/-/crypt-0.0.2.tgz", - "integrity": "sha512-mCxBlsHFYh9C+HVpiEacem8FEBnMXgU9gy4zmNC+SXAZNB/1idgp/aulFJ4FgCi7GPEVbfyng092GqL2k2rmow==", - "license": "BSD-3-Clause", - "engines": { - "node": "*" - } - }, "node_modules/crypto-random-string": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/crypto-random-string/-/crypto-random-string-4.0.0.tgz", @@ -11852,12 +11833,6 @@ "node": ">=8" } }, - "node_modules/is-buffer": { - "version": "1.1.6", - "resolved": "https://registry.npmjs.org/is-buffer/-/is-buffer-1.1.6.tgz", - "integrity": "sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==", - "license": "MIT" - }, "node_modules/is-ci": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/is-ci/-/is-ci-3.0.1.tgz", @@ -12584,17 +12559,6 @@ "node": ">= 0.4" } }, - "node_modules/md5": { - "version": "2.3.0", - "resolved": "https://registry.npmjs.org/md5/-/md5-2.3.0.tgz", - "integrity": "sha512-T1GITYmFaKuO91vxyoQMFETst+O71VUPEU3ze5GNzDm0OWdP8v1ziTaAEPUr/3kLsY3Sftgz242A1SetQiDL7g==", - "license": "BSD-3-Clause", - "dependencies": { - "charenc": "0.0.2", - "crypt": "0.0.2", - "is-buffer": "~1.1.6" - } - }, "node_modules/mdast-util-directive": { "version": "3.1.0", "resolved": "https://registry.npmjs.org/mdast-util-directive/-/mdast-util-directive-3.1.0.tgz", diff --git a/package.json b/package.json index efb2201..ca63ac5 100644 --- a/package.json +++ b/package.json @@ -17,15 +17,14 @@ "dependencies": { "@mdx-js/react": "^3.1.1", "clsx": "^2.1.1", - "md5": "^2.3.0", "prism-react-renderer": "^2.4.1", "react": "^19.2.6", "react-dom": "^19.2.6" }, "devDependencies": { "@docusaurus/core": "3.10.1", - "@docusaurus/preset-classic": "3.10.1", "@docusaurus/module-type-aliases": "3.10.1", + "@docusaurus/preset-classic": "3.10.1", "@docusaurus/types": "3.10.1", "graphql-request": "^7.4.0", "prettier": "^3.8.3", diff --git a/src/components/Md5Generator/index.js b/src/components/Md5Generator/index.js deleted file mode 100644 index c4c72d2..0000000 --- a/src/components/Md5Generator/index.js +++ /dev/null @@ -1,35 +0,0 @@ -import { useState } from 'react' - -import styles from './styles.module.css' - -export default function Md5Generator() { - const [text, setText] = useState('') - const [md5, setMd5] = useState('') - - const handleChange = async (e) => { - setText(e.target.value) - const salt = Math.floor(Math.random() * (99999 - 10000 + 1)) + 10000 - const encrypted = - `md5:${salt}:${require('md5')(salt + e.target.value)}` - setMd5(encrypted) - } - - return ( -
-
- - -
-
- - -
-
- ) -} diff --git a/src/components/Md5Generator/styles.module.css b/src/components/Md5Generator/styles.module.css deleted file mode 100644 index 070b2c3..0000000 --- a/src/components/Md5Generator/styles.module.css +++ /dev/null @@ -1,11 +0,0 @@ -.input { - padding: calc( - var(--ifm-button-padding-vertical) * var(--ifm-button-size-multiplier) - ) - 1em; - line-height: 1.5; - display: block; - width: 100%; - margin-bottom: 1em; - font-family: var(--ifm-font-family-monospace); -} diff --git a/src/pages/md5.mdx b/src/pages/md5.mdx deleted file mode 100644 index a352f4b..0000000 --- a/src/pages/md5.mdx +++ /dev/null @@ -1,18 +0,0 @@ ---- -sidebar: false ---- - -import Md5Generator from '@site/src/components/Md5Generator' - -# Salted hash generator - -:::info -This form just outputs hashes. Nothing is stored or logged, not even sent to any server. -::: - -:::danger -`md5` hash function usage is deprecated. -Consider using native password hashes instead. -::: - - diff --git a/static/_redirects b/static/_redirects index 15caf03..c33d52b 100644 --- a/static/_redirects +++ b/static/_redirects @@ -1,7 +1,8 @@ # https://developers.cloudflare.com/workers/static-assets/redirects/ /blog/feed/ /blog/atom.xml 301 -/md5.php /md5 301 +/md5.php /docs/guide/essentials/credentials 301 +/md5 /docs/guide/essentials/credentials 301 /cookiekey.php https://api.yourls.org/services/cookiekey/1.0/ 301 /hooklist.php https://app.yourls.org/hooklist.php 308 /admin/* https://app.yourls.org/admin/:splat 308