The value of hashed-password can be used to open CodeServer directly, which has security problem

[nimengliusha]

Is there an existing issue for this?

• I have searched the existing issues

OS/Web Information

• Web Browser: Chrome 143.0.7499.170
• Local OS: windows
• Remote OS: ubuntu 22.04, jupyterlab service
• Remote Architecture: x86
• code-server --version: v4.108.0

Steps to Reproduce

1. prepare "hashed-password" using command echo -n "xxx" | npx argon2-cli -e
2. edit ~/.config/code-server/config.yaml，auth: password， hashed-password:"$argon2i$v=19$m=4096,t=3,p=1$xxx$xxx"
3. start code-server using command code-server --port 7756
4. using jupyter_server_proxy to visit code-server service, concatenate a URL as https://base_url/proxy/7756/
5. when the code-server login page occurs, skip input the xxx into the password area. F12 edit the application cookie, set key=code-server-session, value="$argon2i$v=19$m=4096,t=3,p=1$xxx$xxx", refresh the browser

Expected

Failed to login into the code-server. The hashed-password in the config.yaml should not be the plain credentials

Actual

successfully login into the code-server

[code-asher]

Good point, we really should generate unique tokens for the cookies although this means we need a database or file to store these, or we do it all in-memory.

To avoid breaking backwards compatibility the new behavior probably has to be opt-in (some folks rely on the current behavior to manually set the cookie from custom login pages or auth proxies).