Description:

The Argon2 hashing driver currently hardcodes the salt and digest lengths to 16 bytes (Argon2SaltByteLength and Argon2DigestByteLength). This design prevents the system from correctly parsing and validating existing digests in the database that use different lengths.

Specifically, the Validate() method in /packages/go/crypto/argon2.go assumes the digest length is always 16 bytes, which causes it to fail on digests with non-standard lengths.

This limitation breaks compatibility with digests that have been generated using different length parameters, which are technically supported by Argon2 and may already exist in the wild or be imported / managed by other tools.

The solution is to maintain the 16-byte defaults for new digests, but adjust the Validate() function to dynamically handle digest lengths based on the actual size of the stored digest.

Are you intending to fix this bug?

Maybe.

Component(s) Affected:

• PostgreSQL
• Other (tooling, documentation, etc.)

Steps to Reproduce:

Store an Argon2 digest with a non-default digest length (e.g., 32 bytes)

Attempt to validate the digest using the current Validate() method (e.g. log in via UI)

Observe that the validation fails (due to a length mismatch)

Expected Behavior:

The Validate() method should dynamically match against the actual stored digest length, regardless of whether it is 16, 32, or any other valid length.

Actual Behavior:

The Validate() method always uses a hardcoded 16-byte digest length for validation, which fails if the stored digest is a different size.

Screenshots/Code Snippets/Sample Files:

Current (problematic) line in Validate():

contentDigest := argon2.IDKey([]byte(content), s.Salt, s.NumIterations, s.MemoryKibibytes, s.NumThreads, Argon2DigestByteLength)

Proposed fix:

contentDigest := argon2.IDKey([]byte(content), s.Salt, s.NumIterations, s.MemoryKibibytes, s.NumThreads, uint32(len(s.Digest)))

Environment Information:

Go (if API related): go1.22+

Additional Information:

This change improves interoperability and makes the Argon2 driver more robust to format variations, especially important in environments with imported secrets or alternative generation tools.

Potential Solution (optional):

Proposed fix:

contentDigest := argon2.IDKey([]byte(content), s.Salt, s.NumIterations, s.MemoryKibibytes, s.NumThreads, uint32(len(s.Digest)))

Related Issues:

None

Contributor Checklist:

• I have searched the issue tracker to ensure this bug hasn't been reported before or is not already being addressed.
• I have provided clear steps to reproduce the issue.
• I have included relevant environment information details.