feat(core): implement legacy password migration support

[fre2d0m]

Add support for legacy password migration with the following changes:

• core: Add legacy password migration implementation and API endpoints
• schemas: Add database schema changes for legacy password encryption
• phrases: Add error messages for legacy password scenarios in all supported languages

This change enables seamless migration of user passwords from legacy systems while maintaining security and providing appropriate error handling.

Summary

This PR implements support for legacy password migration, allowing seamless integration of existing user accounts from legacy systems into Logto. The implementation includes:

1. Core Package Changes:

   • Added legacy password validation and migration logic in packages/core/src/utils/password.ts
   • Implemented new API endpoints in packages/core/src/routes/admin-user/basics.ts
   • Enhanced user library to handle legacy password scenarios

2. Database Schema Changes:

   • Added new columns in users table for legacy password support
   • Created database migration script for schema updates
   • Ensures backward compatibility with existing password storage
   • Legacy password stored format: ["sha256",["salt123", "@"],"hashed2345"]

3. Internationalization:

   • Added new error messages for legacy password scenarios:
     • invalid_legacy_password_format
     • unsupported_legacy_hash_algorithm
   • Implemented translations for all supported languages (19 locales)

Testing

The changes have been tested through:

1. Unit Tests:

   • Added comprehensive test suite in packages/core/src/utils/password.test.ts
   • Tests cover various legacy password formats and migration scenarios
   • Includes both success and failure cases for password validation

2. Manual Testing:

   • Verified legacy password migration flow
   • Tested error handling for invalid password formats
   • Confirmed proper internationalization of error messages

Checklist

• .changeset - Added changeset for version bump
• unit tests - Added password migration unit tests
• integration tests - Not applicable for this change
• necessary TSDoc comments - Added documentation for new functions and types

[github-actions]

COMPARE TO master

Total Size Diff ⚠️ 📈 +11.07 KB

Diff by File

Name	Diff
packages/core/src/libraries/user.test.ts	📈 +51 Bytes
packages/core/src/libraries/user.ts	📈 +303 Bytes
packages/core/src/routes/admin-user/basics.ts	📈 +189 Bytes
packages/core/src/utils/password.test.ts	📈 +3.91 KB
packages/core/src/utils/password.ts	📈 +2.68 KB
packages/phrases/src/locales/ar/errors/password.ts	📈 +225 Bytes
packages/phrases/src/locales/de/errors/password.ts	📈 +173 Bytes
packages/phrases/src/locales/en/errors/password.ts	📈 +159 Bytes
packages/phrases/src/locales/es/errors/password.ts	📈 +175 Bytes
packages/phrases/src/locales/fr/errors/password.ts	📈 +190 Bytes
packages/phrases/src/locales/it/errors/password.ts	📈 +166 Bytes
packages/phrases/src/locales/ja/errors/password.ts	📈 +203 Bytes
packages/phrases/src/locales/ko/errors/password.ts	📈 +193 Bytes
packages/phrases/src/locales/pl-pl/errors/password.ts	📈 +173 Bytes
packages/phrases/src/locales/pt-br/errors/password.ts	📈 +168 Bytes
packages/phrases/src/locales/pt-pt/errors/password.ts	📈 +176 Bytes
packages/phrases/src/locales/ru/errors/password.ts	📈 +258 Bytes
packages/phrases/src/locales/tr-tr/errors/password.ts	📈 +163 Bytes
packages/phrases/src/locales/zh-cn/errors/password.ts	📈 +152 Bytes
packages/phrases/src/locales/zh-hk/errors/password.ts	📈 +155 Bytes
packages/phrases/src/locales/zh-tw/errors/password.ts	📈 +155 Bytes
packages/schemas/alterations/next-1736492439-add-legacy-password-encryption.ts	📈 +1.11 KB
packages/schemas/tables/users.sql	📈 +10 Bytes

[fre2d0m]

The failed test doesn't seem to come from my commit.

[wangsijie]

@fre2d0m I'll take a look

[wangsijie]

Hi, @fre2d0m thanks for you contribution, you'll need to resolve the failed test:

 SyntaxError: The requested module '#src/utils/password.js' does not provide an export named 'legacyVerify'

[fre2d0m]

Hi, @fre2d0m thanks for you contribution, you'll need to resolve the failed test:

 SyntaxError: The requested module '#src/utils/password.js' does not provide an export named 'legacyVerify'

Function is

export const legacyVerify = async (
  storedPassword: string,
  inputPassword: string
): Promise<boolean> => {
  try {
    const parsed = parseLegacyPassword(storedPassword);
    const calculatedHash = await executeLegacyHash(parsed, inputPassword);
    return calculatedHash === parsed.encryptedPassword;
  } catch {
    return false;
  }
};

I actually executed ci locally as well as tested the function and if it was not exported then I wouldn't even log in successfully

case UsersPasswordEncryptionMethod.Legacy: {
        const isValid = await legacyVerify(passwordEncrypted, password);
        assertThat(isValid, new RequestError({ code: 'session.invalid_credentials', status: 422 }));
        break;
      }

Maybe you can tell me the specific file where the error occurred?

[wangsijie]

@fre2d0m I'll try to fix it