Deluge: generate separate random password instead of syncing account password

[MagnaCapax]

Problem

Deluge daemon auth file (~/.config/deluge/auth) stores passwords in plaintext in all versions <= 2.1.1. Even Deluge 2.2.0 (which adds scrypt hashing for non-localclient accounts) keeps localclient in plaintext because local UIs read the file directly to auto-login.

Syncing the customer's account password (SSH, web UI) to this plaintext file is a security risk:

• CVE-2025-46564 (Critical): Unauthenticated path traversal in Deluge web UI /js endpoint allows reading arbitrary OS files — including the auth file. No authentication required.
• CVE-2017-7178 (High): CSRF → malicious plugin upload → RCE. Still works for authenticated attackers.
• Default exposure: deluged and deluge-web both listen on 0.0.0.0 by default, with default password deluge.
• Crypto mining vector: Exposed Deluge instances with default/weak passwords are actively exploited for cryptomining.

Commit 8196b43 removed Deluge password sync as an emergency fix. The template's random hex token (localclient:db1f077...) remains as the default — functional but not user-friendly.

Proposed Solution

1. During user provisioning, generate a separate random password for Deluge (NOT the account password)
2. Write this random password to the Deluge auth file (plaintext is acceptable when it's a unique per-service credential, not the account password)
3. Show the Deluge password to the user in their control panel or Access Details email
4. On changePw.php, do NOT sync to Deluge — the Deluge password stays independent
5. Provide a self-service tool for users to change their Deluge password independently

Security Requirements

• Deluge password MUST be different from the account password
• Deluge password MUST be randomly generated (high entropy)
• Deluge password SHOULD be displayed to the user (control panel, email, or both)
• Account password changes MUST NOT affect Deluge password

Background

• Deluge auth format: username:password:level (plaintext in <= 2.1.1, scrypt in >= 2.2.0 for non-localclient)
• The db1f077e3ae178fad7608c327f2cd12dfe63ca67 in the template is NOT a SHA1 hash — it's a random hex string used as a plaintext password
• Web UI password (web.conf) uses SHA1+salt (separate from daemon auth)
• qBittorrent uses PBKDF2-HMAC-SHA512 (properly hashed) — already implemented in passwords.php

References

• CVE-2025-46564: https://securitylab.github.com/advisories/GHSL-2024-188_GHSL-2024-191_Deluge/
• CVE-2017-7178: https://www.cvedetails.com/cve/CVE-2017-7178/
• Deluge ticket #2442 (plaintext auth): https://dev.deluge-torrent.org/ticket/2442
• Related commit: 8196b43 (removed plaintext sync)
• Related issue: Password sync: Deluge and qBittorrent passwords not synchronized with account password #206 (original password sync implementation)