Admin token Argon2 hashing support

Added support for Argon2 hashing support for the `ADMIN_TOKEN` instead
of only supporting a plain text string.

The hash must be a PHC string which can be generated via the `argon2`
CLI **or** via the also built-in hash command in Vaultwarden.

You can simply run `vaultwarden hash` to generate a hash based upon a
password the user provides them self.

Added a warning during startup and within the admin settings panel is
the `ADMIN_TOKEN` is not an Argon2 hash.

Within the admin environment a user can ignore that warning and it will
not be shown for at least 30 days. After that the warning will appear
again unless the `ADMIN_TOKEN` has be converted to an Argon2 hash.

I have also tested this on my RaspberryPi 2b and there the `Bitwarden`
preset takes almost 4.5 seconds to generate/verify the Argon2 hash.

Using the `OWASP` preset it is below 1 second, which I think should be
fine for low-graded hardware. If it is needed people could use lower
memory settings, but in those cases I even doubt Vaultwarden it self
would run. They can always use the `argon2` CLI and generate a faster hash.

src/static/scripts/admin_settings.js

@@ -157,6 +157,41 @@ function masterCheck(check_id, inputs_query) {
     }
 }
 
+// This will check if the ADMIN_TOKEN is not a Argon2 hashed value.
+// Else it will show a warning, unless someone has closed it.
+// Then it will not show this warning for 30 days.
+function checkAdminToken() {
+    const admin_token = document.getElementById("input_admin_token");
+    const disable_admin_token = document.getElementById("input_disable_admin_token");
+    if (!disable_admin_token.checked && !admin_token.value.startsWith("$argon2")) {
+        // Check if the warning has been closed before and 30 days have passed
+        const admin_token_warning_closed = localStorage.getItem("admin_token_warning_closed");
+        if (admin_token_warning_closed !== null) {
+            const closed_date = new Date(parseInt(admin_token_warning_closed));
+            const current_date = new Date();
+            const thirtyDays = 1000*60*60*24*30;
+            if (current_date - closed_date < thirtyDays) {
+                return;
+            }
+        }
+
+        // When closing the alert, store the current date/time in the browser
+        const admin_token_warning = document.getElementById("admin_token_warning");
+        admin_token_warning.addEventListener("closed.bs.alert", function() {
+            const d = new Date();
+            localStorage.setItem("admin_token_warning_closed", d.getTime());
+        });
+
+        // Display the warning
+        admin_token_warning.classList.remove("d-none");
+    }
+}
+
+// This will check for specific configured values, and when needed will show a warning div
+function showWarnings() {
+    checkAdminToken();
+}
+
 const config_form = document.getElementById("config-form");
 
 // onLoad events
@@ -192,4 +227,6 @@ document.addEventListener("DOMContentLoaded", (/*event*/) => {
     }
 
     config_form.addEventListener("submit", saveConfig);
+
+    showWarnings();
 });

src/static/templates/admin/settings.hbs

@@ -1,4 +1,10 @@
 <main class="container-xl">
+    <div id="admin_token_warning" class="alert alert-warning alert-dismissible fade show d-none">
+        <button type="button" class="btn-close" data-bs-target="admin_token_warning" data-bs-dismiss="alert" aria-label="Close"></button>
+        You are using a plain text `ADMIN_TOKEN` which is insecure.<br>
+        Please generate a secure Argon2 PHC string by using `vaultwarden hash` or `argon2`.<br>
+        See: <a href="https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token" target="_blank" rel="noopener noreferrer">Enabling admin page - Secure the `ADMIN_TOKEN`</a>
+    </div>
     <div id="config-block" class="align-items-center p-3 mb-3 bg-secondary rounded shadow">
         <div>
             <h6 class="text-white mb-3">Configuration</h6>