Hash-Based Authentication for Etherpad

This Etherpad plugin allows the usage of hashed passwords for authentication. As of version 2.x it uses the crypto lib and/or the bcrypt lib for comparison. Besides settings.json, it is now possible to store the user-database in a filesystem hierarchy. The hash files are read on authentication.

  "users": {
	"admin": {"password": "admin","is_admin": true},
	"y": {"is_admin": true, "hash": "b2112aa7399 ... b071ea5976"},
	"z": {"is_admin": true, "hash": "b5152ab7359 ... a041fa5646", "displayname": "Jane Doe"}
  }

optionally specify hash type and digest, folders and extension, defaults are:

  "ep_hash_auth": {
    "hash_typ": "sha512",
    "hash_dig": "hex",
    "hash_dir": "/var/etherpad/users",
    "hash_ext": "/.hash",
    "hash_adm": false,
    "displayname_ext": "/.displayname",
    "hash_adm_ext": "/.adm"
  },

This means user Alice would have to have her hash in sha512 hex OR in bcrypt format in the following file:

/var/etherpad/users/Alice/.hash

The hash_adm parameter defines the role of file-authenticated users, by default they are not admins.

The displayname_ext parameter defines from which file the displayname of a user can be read. If the file does not exist for a user, the displayname remains unchanged.

The hash_adm_ext parameter defines from which file the is_admin boolean of a user can be read. If the file does not exist for a user, the hash_adm value will be used.

Generate the hashes

Bcrypt:

apt-get install -yqq python-bcrypt
python -c 'import bcrypt; print(bcrypt.hashpw(b"password", bcrypt.gensalt(rounds=10, prefix=b"2a")))'

Argon2:

var argon2 = require('argon2');
argon2.hash("password", {timeCost: 4, memoryCost: 2 ** 13, parallelism: 2, type: argon2.argon2i}).then(hash => {console.log(hash);});

Credits

• István Király LaKing (author and maintainer)
• Robin ypid Schneider (contributor)
• id01 (contributor)
• wollsi (contributer)

the npm

Installation

Install from the Etherpad admin UI (Admin → Manage Plugins, search for ep_hash_auth and click Install), or from the Etherpad root directory:

pnpm run plugins install ep_hash_auth

⚠️ Don't run npm i / npm install yourself from the Etherpad source tree — Etherpad tracks installed plugins through its own plugin-manager, and hand-editing package.json can leave the server unable to start.

After installing, restart Etherpad.