Remove weak hashes from BasicAuth

Author: gaby

docs/middleware/basicauth.md

@@ -66,8 +66,7 @@ Getting the username and password
 Passwords must be supplied in pre-hashed form. The middleware detects the
 hashing algorithm from a prefix:
 
-- `"{SHA512}"`, `"{SHA256}"`, or `"{SHA}"` followed by a base64 encoded digest
-- `"{MD5}"` followed by a base64 encoded digest
+- `"{SHA512}"` or `"{SHA256}"` followed by a base64 encoded digest
 - standard bcrypt strings beginning with `$2`
 
 If no prefix is present the value is interpreted as a SHA-256 digest encoded in
@@ -92,7 +91,7 @@ func handler(c fiber.Ctx) error {
 | Charset         | `string`                    | Charset sent in the `WWW-Authenticate` header, so clients know how credentials are encoded. | `"UTF-8"` |
 | HeaderLimit     | `int`                       | Maximum allowed length of the `Authorization` header. Requests exceeding this limit are rejected. | `8192` |
 | StorePassword   | `bool`                      | Store the plaintext password in the context and retrieve it via `PasswordFromContext`. | `false` |
-| Authorizer      | `func(string, string, fiber.Ctx) bool` | Authorizer defines a function to check the credentials. It will be called with a username, password, and the current context and is expected to return true or false to indicate approval.  | `nil`                 |
+| Authorizer      | `func(string, string, fiber.Ctx) bool` | Authorizer defines a function to check the credentials. It will be called with a username, **hashed password**, and the current context and is expected to return true or false to indicate approval.  | `nil`                 |
 | Unauthorized    | `fiber.Handler`             | Unauthorized defines the response body for unauthorized responses.                                                                                                    | `nil`                 |
 
 ## Default Config

docs/whats_new.md

@@ -1947,7 +1947,7 @@ Authorizer: func(user, pass string, _ fiber.Ctx) bool {
 }
 ```
 
-Passwords configured for BasicAuth must now be pre-hashed. If no prefix is supplied the middleware expects a SHA-256 digest encoded in hex. Common prefixes like `{SHA256}`, `{SHA}`, `{SHA512}`, `{MD5}` and bcrypt strings are also supported. Plaintext passwords are no longer accepted.
+Passwords configured for BasicAuth must now be pre-hashed. If no prefix is supplied the middleware expects a SHA-256 digest encoded in hex. Common prefixes like `{SHA256}` and `{SHA512}` and bcrypt strings are also supported. Plaintext passwords are no longer accepted.
 
 You can also set the optional `HeaderLimit`, `StorePassword`, and `Charset`
 options to further control authentication behavior.

middleware/basicauth/basicauth_test.go

@@ -1,8 +1,6 @@
 package basicauth
 
 import (
-	"crypto/md5"  // #nosec G501 - test compatibility
-	"crypto/sha1" // #nosec G505 - test compatibility
 	"crypto/sha256"
 	"crypto/sha512"
 	"encoding/base64"
@@ -28,16 +26,6 @@ func sha512Hash(p string) string {
 	return "{SHA512}" + base64.StdEncoding.EncodeToString(sum[:])
 }
 
-func sha1Hash(p string) string {
-	sum := sha1.Sum([]byte(p)) // #nosec G401 - test compatibility
-	return "{SHA}" + base64.StdEncoding.EncodeToString(sum[:])
-}
-
-func md5Hash(p string) string {
-	sum := md5.Sum([]byte(p)) // #nosec G401 - test compatibility
-	return "{MD5}" + base64.StdEncoding.EncodeToString(sum[:])
-}
-
 // go test -run Test_BasicAuth_Next
 func Test_BasicAuth_Next(t *testing.T) {
 	t.Parallel()
@@ -370,8 +358,6 @@ func Test_parseHashedPassword(t *testing.T) {
 		{"sha256", sha256Hash(pass)},
 		{"sha256-hex", hexDigest},
 		{"sha256-b64", b64},
-		{"sha1", sha1Hash(pass)},
-		{"md5", md5Hash(pass)},
 	}
 
 	for _, tt := range cases {
@@ -398,8 +384,6 @@ func Test_BasicAuth_HashVariants(t *testing.T) {
 		{"sha512", sha512Hash(pass)},
 		{"sha256", sha256Hash(pass)},
 		{"sha256-hex", func() string { h := sha256.Sum256([]byte(pass)); return hex.EncodeToString(h[:]) }()},
-		{"sha1", sha1Hash(pass)},
-		{"md5", md5Hash(pass)},
 	}
 
 	for _, tt := range cases {
@@ -430,8 +414,6 @@ func Test_BasicAuth_HashVariants_Invalid(t *testing.T) {
 		{"sha512", sha512Hash(pass)},
 		{"sha256", sha256Hash(pass)},
 		{"sha256-hex", func() string { h := sha256.Sum256([]byte(pass)); return hex.EncodeToString(h[:]) }()},
-		{"sha1", sha1Hash(pass)},
-		{"md5", md5Hash(pass)},
 	}
 
 	for _, tt := range cases {

middleware/basicauth/config.go

@@ -1,8 +1,6 @@
 package basicauth
 
 import (
-	"crypto/md5"  // #nosec G501 - compatibility with existing hashed passwords
-	"crypto/sha1" // #nosec G505 - compatibility with existing hashed passwords
 	"crypto/sha256"
 	"crypto/sha512"
 	"crypto/subtle"
@@ -31,7 +29,7 @@ type Config struct {
 
 	// Authorizer defines a function you can pass
 	// to check the credentials however you want.
-	// It will be called with a username, password and
+	// It will be called with a username, hashed password and
 	// the current fiber context and is expected to return
 	// true or false to indicate that the credentials were
 	// approved or not.
@@ -165,24 +163,6 @@ func parseHashedPassword(h string) (func(string) bool, error) {
 			sum := sha256.Sum256([]byte(p))
 			return subtle.ConstantTimeCompare(sum[:], b) == 1
 		}, nil
-	case strings.HasPrefix(h, "{SHA}"):
-		b, err := base64.StdEncoding.DecodeString(h[len("{SHA}"):])
-		if err != nil {
-			return nil, fmt.Errorf("decode SHA1 password: %w", err)
-		}
-		return func(p string) bool {
-			sum := sha1.Sum([]byte(p)) // #nosec G401 - compatibility with existing hashed passwords
-			return subtle.ConstantTimeCompare(sum[:], b) == 1
-		}, nil
-	case strings.HasPrefix(h, "{MD5}"):
-		b, err := base64.StdEncoding.DecodeString(h[len("{MD5}"):])
-		if err != nil {
-			return nil, fmt.Errorf("decode MD5 password: %w", err)
-		}
-		return func(p string) bool {
-			sum := md5.Sum([]byte(p)) // #nosec G401 - compatibility with existing hashed passwords
-			return subtle.ConstantTimeCompare(sum[:], b) == 1
-		}, nil
 	default:
 		b, err := hex.DecodeString(h)
 		if err != nil || len(b) != sha256.Size {