doubleSlashde · mplieske · Nov 26, 2025
diff --git a/pom.xml b/pom.xml
@@ -168,6 +168,12 @@
       <version>2.18.2</version>
     </dependency>
 
+    <!-- for Argon2PasswordEncoder -->
+    <dependency>
+        <groupId>org.bouncycastle</groupId>
+        <artifactId>bcprov-jdk18on</artifactId>
+        <version>1.78.1</version> <!-- or latest -->
+    </dependency>
   </dependencies>
   <build>
     <finalName>keeptime-${project.version}</finalName>

diff --git a/src/main/java/de/doubleslash/keeptime/common/DefaultPasswordEncoder.java b/src/main/java/de/doubleslash/keeptime/common/DefaultPasswordEncoder.java
@@ -0,0 +1,13 @@
+package de.doubleslash.keeptime.common;
+
+import org.springframework.security.crypto.argon2.Argon2PasswordEncoder;
+
+public class DefaultPasswordEncoder {
+
+   private static Argon2PasswordEncoder passwordEncoder = new Argon2PasswordEncoder(16, 32, 4, 128000, 10);
+
+   public static final Argon2PasswordEncoder getPasswordEncoder() {
+      return DefaultPasswordEncoder.passwordEncoder;
+   }
+
+}
diff --git a/src/main/java/de/doubleslash/keeptime/rest/SecurityConfiguration.java b/src/main/java/de/doubleslash/keeptime/rest/SecurityConfiguration.java
@@ -24,8 +24,11 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 
+import de.doubleslash.keeptime.common.DefaultPasswordEncoder;
+
 @Configuration
 @EnableWebSecurity
 public class SecurityConfiguration {
@@ -39,4 +42,9 @@ public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception
 
       return http.build();
    }
+
+   @Bean
+   public PasswordEncoder passwordEncoder() {
+      return DefaultPasswordEncoder.getPasswordEncoder();
+   }
 }
diff --git a/src/main/java/de/doubleslash/keeptime/view/SettingsController.java b/src/main/java/de/doubleslash/keeptime/view/SettingsController.java
@@ -43,6 +43,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.stereotype.Component;
 
 import de.doubleslash.keeptime.ApplicationProperties;
@@ -758,12 +759,15 @@ private void handleApiOn() {
       String username = authName.getText();
       String password = authPassword.getText();
 
+      PasswordEncoder passwordEncoder = DefaultPasswordEncoder.getPasswordEncoder();
+      String encodedPassword = passwordEncoder.encode(password);
+
       Map<String, String> propertiesToUpdate = new HashMap<>();
       propertiesToUpdate.put("spring.main.web-application-type", "");
       propertiesToUpdate.put("server.port", authPort.getText());
       propertiesToUpdate.put("api", "ON");
       propertiesToUpdate.put("spring.security.user.name", username);
-      propertiesToUpdate.put("spring.security.user.password", password);
+      propertiesToUpdate.put("spring.security.user.password", encodedPassword);
 
       propertyWrite(propertiesToUpdate);
    }