taler-docs

Documentation for GNU Taler components, APIs and protocols
Log | Files | Refs | README | LICENSE
commit 85019238fffa0ee9e1cbf0d5908c3a7addbfefbc
parent 57ef073147d26ed9d5fb74e978e5ddbc06b975d7
Author: Antoine A <>
Date:   Fri, 26 Jul 2024 18:00:03 +0200

libeufin-bank: add documentation for password hashing

Diffstat:

Mlibeufin/bank-manual.rst | 17+++++++++++++++++


Mmanpages/libeufin-bank.conf.5.rst | 11+++++++++--


2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/libeufin/bank-manual.rst b/libeufin/bank-manual.rst
@@ -99,6 +99,23 @@ The following snippet shows the mandatory configuration values:
   Refer to the manpage ``libeufin-man.conf(5)``
   for the full array of configuration values.
 
+Configuring password storage
+----------------------------
+
+libeufin-bank uses secure password hashing algorithms to store user passwords. For the moment, only ``bcrypt`` is supported. The default configuration is:
+
+.. code-block:: ini
+
+  [libeufin-bank]
+  PWD_HASH_ALGORITHM = bcrypt
+  PWD_HASH_CONFIG = { "cost": 8 }
+
+As password authentication is used frequently, password hashing should only take a few milliseconds. If your server's CPU is too weak, you should reduce the ``cost`` and you may want to increase otherwise. You can the password hash speed using the following command:
+
+.. code-block:: console
+
+  $ libeufin-bank bench-pwh -c "$CONFIG_FILE admin
+
 .. _libeufin-mfa:
 
 Configuring multi-factor authentication
diff --git a/manpages/libeufin-bank.conf.5.rst b/manpages/libeufin-bank.conf.5.rst
@@ -93,11 +93,11 @@ TAN_EMAIL
   Only used if ``ALLOW_CONVERSION`` is ``YES``.
 
 TAN_SMS_ENV
-  Environment variables for the sms TAN script.
+  Environment variables for the sms TAN script as a single-line JSON object
   Only used if ``TAN_SMS`` is set.
 
 TAN_EMAIL_ENV
-  Environment variables for the email TAN script.
+  Environment variables for the email TAN script as a single-line JSON object
   Only used if ``TAN_EMAIL`` is set.
 
 SERVE
@@ -122,6 +122,13 @@ UNIXPATH_MODE
 SUGGESTED_WITHDRAWAL_EXCHANGE
   Exchange that is suggested to wallets when withdrawing
 
+PWD_HASH_ALGORITHM
+  Password hash algorithm, this can only be ``bcrypt``
+
+PWD_HASH_CONFIG
+  Password hash algorithm configuration as a single-line JSON object
+  When ``PWD_HASH_ALGORITHM`` is ``bcrypt`` you can configure ``cost``
+
 GC_ABORT_AFTER
   Time after which pending operations are aborted during garbage collection