From 0b445fd78ba0472525ae41f99b96ce298bd11920 Mon Sep 17 00:00:00 2001 From: Tracker-Friendly Date: Sun, 25 Feb 2024 19:41:46 +0000 Subject: [PATCH] Fixed APIdocs --- APIDOCS.md | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/APIDOCS.md b/APIDOCS.md index bd12d4c..f2d0882 100644 --- a/APIDOCS.md +++ b/APIDOCS.md @@ -7,18 +7,26 @@ Headers should be: "Content-type: application/json; charset=UTF-8" for all POSTs POST - /api/signup - provide "username" and "password". -POST - /api/login - provide "username" and "password". +POST - /api/login - provide "username", "password", "changepassword" (must be "yes" or "no") and "newpass" -To prevent the server from knowing the encryption key, the password you provide in the request must be hashed with the argon2 algorithm. +To prevent the server from knowing the encryption key, the password you provide in the request must be hashed with the SHA-3 with 128 iterations (the hash is hashed again 128 times). + +If you wish to change the user's password, set "changepassword" to "yes" and "newpass" to the new hash. + +Some users use the legacy argon2id mode (by which i mean about 8), and to implement argon2id functionality, you hash like this: Parallelism should be 1 Iterations should be 256 Memory Allocated in bytes should be 512 Length of Hash should be 32 bytes The output should be in the encoded format, not the hashed format +Salt should be the SHA512 of the password +(Yes i know this is really bad practice, guess why we are replacing it) -The salt should be the SHA-512 of the password. +To test if SHA-3 or argon2 is used, just try the SHA-3 and if 422 gets returned try argon2. + +(For the sake of all of us, change the password to the SHA-3 hash) Password should be at least 8 characters, username must be under 20 characters and alphanumeric. @@ -28,13 +36,13 @@ Assuming everything went correctly, the server will return a secret key. You'll need to store two things in local storage: - The secret key you just got, used to fetch notes, save stuff etc. -- SHA512 hashed password, used as encryption key +- A SHA512 hashed password, used as encryption key ## Encryption Note content and title is encrypted using AES 256-bit. -Encryption password is the SHA512 hashed password we talked about earlier. +Encryption password is the SHA512 hashed password we talked about earlier. ## Basic stuff @@ -64,4 +72,4 @@ note content and title will have to be decrypted POST - /api/sessions/list - show all sessions, provide "secretKey" -POST - /api/sessions/remove - remove session, provide "secretKey" and "sessionId" \ No newline at end of file +POST - /api/sessions/remove - remove session, provide "secretKey" and "sessionId"