From 7dd455ce15d9fe15ec7b5c8ea19b894ac0fe795d Mon Sep 17 00:00:00 2001
From: Raphael Michel <michel@rami.io>
Date: Tue, 26 Nov 2024 17:31:27 +0100
Subject: [PATCH] Fix #4641 -- Make usage of argon2id optional (#4643)

---
 doc/admin/config.rst                                   |  5 +++++
 .../0001_squashed_0028_auto_20160816_1242.py           | 10 +++++++++-
 src/pretix/settings.py                                 |  6 +++++-
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/doc/admin/config.rst b/doc/admin/config.rst
index b17aee56c2..d8bd2a1e3f 100644
--- a/doc/admin/config.rst
+++ b/doc/admin/config.rst
@@ -288,6 +288,7 @@ Example::
     [django]
     secret=j1kjps5a5&4ilpn912s7a1!e2h!duz^i3&idu@_907s$wrz@x-
     debug=off
+    passwords_argon2=on
 
 ``secret``
     The secret to be used by Django for signing and verification purposes. If this
@@ -303,6 +304,10 @@ Example::
 
     .. WARNING:: Never set this to ``True`` in production!
 
+``passwords_argon``
+    Use the ``argon2`` algorithm for password hashing. Disable on systems with a small number of CPU cores (currently
+    less than 8).
+
 ``profile``
     Enable code profiling for a random subset of requests. Disabled by default, see
     :ref:`perf-monitoring` for details.
diff --git a/src/pretix/base/migrations/0001_squashed_0028_auto_20160816_1242.py b/src/pretix/base/migrations/0001_squashed_0028_auto_20160816_1242.py
index 206777e8c5..89ea02ab47 100644
--- a/src/pretix/base/migrations/0001_squashed_0028_auto_20160816_1242.py
+++ b/src/pretix/base/migrations/0001_squashed_0028_auto_20160816_1242.py
@@ -9,6 +9,7 @@ from decimal import Decimal
 import django.core.validators
 import django.db.models.deletion
 import i18nfield.fields
+from argon2.exceptions import HashingError
 from django.conf import settings
 from django.contrib.auth.hashers import make_password
 from django.db import migrations, models
@@ -25,7 +26,14 @@ def initial_user(apps, schema_editor):
     user = User(email='admin@localhost')
     user.is_staff = True
     user.is_superuser = True
-    user.password = make_password('admin')
+    try:
+        user.password = make_password('admin')
+    except HashingError:
+        raise Exception(
+            "Could not hash password of initial user with argon2id. If this is a system with less than 8 CPU cores, "
+            "you might need to disable argon2id by setting `passwords_argon2=off` in the `[django]` section of the "
+            "pretix.cfg configuration file."
+        )
     user.save()
 
 
diff --git a/src/pretix/settings.py b/src/pretix/settings.py
index 49a9db52be..658817f7f9 100644
--- a/src/pretix/settings.py
+++ b/src/pretix/settings.py
@@ -726,7 +726,11 @@ PASSWORD_HASHERS = [
     # the HistoricPassword model will not be changed automatically. In case a serious issue with a hasher
     # comes to light, dropping the contents of the HistoricPassword table might be the more risk-adequate
     # decision.
-    "django.contrib.auth.hashers.Argon2PasswordHasher",
+    *(
+        ["django.contrib.auth.hashers.Argon2PasswordHasher"]
+        if config.getboolean('django', 'passwords_argon2', fallback=True)
+        else []
+    ),
     "django.contrib.auth.hashers.PBKDF2PasswordHasher",
     "django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher",
     "django.contrib.auth.hashers.BCryptSHA256PasswordHasher",