Admin token Argon2 hashing support

Added support for Argon2 hashing support for the `ADMIN_TOKEN` instead of only supporting a plain text string. The hash must be a PHC string which can be generated via the `argon2` CLI **or** via the also built-in hash command in Vaultwarden. You can simply run `vaultwarden hash` to generate a hash based upon a password the user provides them self. Added a warning during startup and within the admin settings panel is the `ADMIN_TOKEN` is not an Argon2 hash. Within the admin environment a user can ignore that warning and it will not be shown for at least 30 days. After that the warning will appear again unless the `ADMIN_TOKEN` has be converted to an Argon2 hash. I have also tested this on my RaspberryPi 2b and there the `Bitwarden` preset takes almost 4.5 seconds to generate/verify the Argon2 hash. Using the `OWASP` preset it is below 1 second, which I think should be fine for low-graded hardware. If it is needed people could use lower memory settings, but in those cases I even doubt Vaultwarden it self would run. They can always use the `argon2` CLI and generate a faster hash.
2025-09-09 18:25:58 +03:00 · 2023-02-28 23:09:51 +01:00
parent 337cbfaf22
commit de157b2654
8 changed files with 240 additions and 20 deletions
--- a/src/config.rs
+++ b/src/config.rs
@@ -19,7 +19,7 @@ static CONFIG_FILE: Lazy<String> = Lazy::new(|| {

 pub static CONFIG: Lazy<Config> = Lazy::new(|| {
    Config::load().unwrap_or_else(|e| {
-        println!("Error loading config:\n\t{e:?}\n");
+        println!("Error loading config:\n  {e:?}\n");
        exit(12)
    })
 });
@@ -872,6 +872,23 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
        err!("`EVENT_CLEANUP_SCHEDULE` is not a valid cron expression")
    }

+    if !cfg.disable_admin_token {
+        match cfg.admin_token.as_ref() {
+            Some(t) if t.starts_with("$argon2") => {
+                if let Err(e) = argon2::password_hash::PasswordHash::new(t) {
+                    err!(format!("The configured Argon2 PHC in `ADMIN_TOKEN` is invalid: '{e}'"))
+                }
+            }
+            Some(_) => {
+                println!(
+                    "[NOTICE] You are using a plain text `ADMIN_TOKEN` which is insecure.\n\
+                Please generate a secure Argon2 PHC string by using `vaultwarden hash` or `argon2`.\n\
+                See: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token\n"
+                );
+            }
+            _ => {}
+        }
+    }
    Ok(())
 }