From 90be370095161554019403c354d688b3ed96b26f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= Date: Thu, 21 Apr 2022 18:58:29 +0200 Subject: [PATCH] Manager: reduce password strength of Workers The password check of worker API calls was 2 orders of magnitude slower than actually handling the API call itself. Since the Worker authentication is not that important (it's all on the same network anyway, and Worker account registration is automatic too), lowering the BCrypt cost to the minimum helps. On my machine, this reduces the time for password checks from 50 to 2 ms. --- internal/manager/api_impl/workers.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/internal/manager/api_impl/workers.go b/internal/manager/api_impl/workers.go index 79b8e18a..2e8217fb 100644 --- a/internal/manager/api_impl/workers.go +++ b/internal/manager/api_impl/workers.go @@ -18,6 +18,10 @@ import ( "git.blender.org/flamenco/pkg/api" ) +// The default BCrypt cost is made for important passwords. For Flamenco, the +// Worker password is not that important. +const bcryptCost = bcrypt.MinCost + // RegisterWorker registers a new worker and stores it in the database. func (f *Flamenco) RegisterWorker(e echo.Context) error { logger := requestLogger(e) @@ -33,7 +37,7 @@ func (f *Flamenco) RegisterWorker(e echo.Context) error { logger.Info().Str("nickname", req.Nickname).Msg("registering new worker") - hashedPassword, err := bcrypt.GenerateFromPassword([]byte(req.Secret), bcrypt.DefaultCost) + hashedPassword, err := bcrypt.GenerateFromPassword([]byte(req.Secret), bcryptCost) if err != nil { logger.Warn().Err(err).Msg("error hashing worker password") return sendAPIError(e, http.StatusBadRequest, "error hashing password")