I would like to changing the hashing function used within Cuba to something more secure. I know that it is possible to do this using a new EncryptionModule, but my use case is a little more complex.
I have a set of around 800 pre-existing users that currently all have a SHA-1 password in the DB - these are all users of a portal module who authenticate with the login API. I cannot simply change the hashing algorithm and ask my users to generate a new password. So I am proposing some code which will:
- When the user logs in, checks the DB to see what kind of hashing algorithm their password has been hashed with (this will default to SHA-1)
- Their plaintext password will be hashed and checked with the stored value (using appropriate algorithm derived from step 1)
- If the user is on an outdated hashing mechanism like this, the system will take their plaintext password and hash it in the new algorithm and store it, and update their record to indicate that they are now hashed using this more up to date method.
In this way I can perform a gradual migration from SHA-1 to, say, bcrypt, without causing issues for my users.
Do you have any advice for how best to accomplish this within the structure of the Cuba framework?