Phase 30: Remove hardcoded credentials and implement Argon2id authentication

[Copilot]

Summary

Eliminates critical authentication vulnerabilities: hardcoded admin credentials, static demo token, and weak DJB2 password hashing. Implements Argon2id via libsodium with cryptographically secure token generation.

Details

• Bug fix
• New feature
• Performance improvement
• Documentation / tooling

What changed?

Authentication System (src/web/auth_manager.c)

• Removed hardcoded admin:admin default user
• Replaced DJB2 hash with Argon2id via user_auth_hash_password()
• Added password validation: 8+ chars, requires letter+digit, max 128
• Token generation via crypto_prim_random_bytes() (32 bytes → 64+ hex chars)
• Error handling for crypto operation failures

API Routes (src/web/api_routes.c)

• Removed static "demo_token_12345" from login endpoint
• Implemented JSON parsing with bounds checking and escape sequence handling
• Connected login/logout/verify to auth_manager
• Added mutex-protected global auth manager access

User Model (src/database/models/user_model.cpp)

• Fixed validatePassword() stub (was always returning false)
• Implemented Argon2 verification via crypto_pwhash_str_verify()

Configuration

• Admin setup via environment variables:

  export ROOTSTREAM_ADMIN_USERNAME="admin"
  export ROOTSTREAM_ADMIN_PASSWORD="SecurePass123"

Documentation

• Removed hardcoded credentials from examples
• Added security configuration guide

Rationale

Web dashboard authentication was non-functional in production:

• Default credentials exposed in source
• Static token bypassed authentication entirely
• Password verification broken (C++ model)
• DJB2 hash trivially cracked via rainbow tables

Argon2id is OWASP-recommended for password storage. Leverages existing libsodium infrastructure from Phase 21 security module.

Testing

• Built successfully (make)
• Basic streaming tested
• Tested on:
  • Comprehensive test suite: tests/unit/test_phase30_security.c
  • Validates: password strength, token uniqueness, no default credentials, Argon2 verification
  • All code review feedback addressed (bounds checking, thread safety, error handling)

Notes

• Potential impact on latency or resource usage: Argon2 hashing adds ~100ms per authentication (intentional for security)
• Any follow-up work needed:
  • Integrate existing MFA (TOTP in user_auth.c)
  • Connect rate limiting (attack_prevention.c)
  • Enable audit logging (audit_log.c)

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.