Fallback to BCrypt auth when BCRYPT_AUTH_FALLBACK

models/user.go

@@ -21,6 +21,8 @@ import (
 	"strings"
 	"time"
 
+	"golang.org/x/crypto/bcrypt"
+
 	"github.com/Unknwon/com"
 	"github.com/go-xorm/xorm"
 	"github.com/nfnt/resize"
@@ -251,7 +253,13 @@ func (u *User) EncodePasswd() {
 func (u *User) ValidatePassword(passwd string) bool {
 	newUser := &User{Passwd: passwd, Salt: u.Salt}
 	newUser.EncodePasswd()
-	return u.Passwd == newUser.Passwd
+	if u.Passwd == newUser.Passwd {
+		return true
+	}
+	if setting.BCryptAuthFallback && bcrypt.CompareHashAndPassword([]byte(u.Passwd), []byte(passwd)) == nil {
+		return true
+	}
+	return false
 }
 
 // UploadAvatar saves custom avatar for user.

modules/setting/setting.go

@@ -77,6 +77,7 @@ var (
 	CookieUserName       string
 	CookieRememberName   string
 	ReverseProxyAuthUser string
+	BCryptAuthFallback   bool
 
 	// Database settings.
 	UseSQLite3    bool
@@ -324,6 +325,7 @@ func NewContext() {
 	CookieUserName = sec.Key("COOKIE_USERNAME").String()
 	CookieRememberName = sec.Key("COOKIE_REMEMBER_NAME").String()
 	ReverseProxyAuthUser = sec.Key("REVERSE_PROXY_AUTHENTICATION_USER").MustString("X-WEBAUTH-USER")
+	BCryptAuthFallback = sec.Key("BCRYPT_AUTH_FALLBACK").MustBool()
 
 	sec = Cfg.Section("attachment")
 	AttachmentPath = sec.Key("PATH").MustString(path.Join(AppDataPath, "attachments"))