GSoC 2026 Introduction — Yuvraj Singh | Password Authentication Re-work

yuvrajsingh · March 20, 2026, 3:41pm

About Me

Name: Yuvraj Singh University: AKGEC Ghaziabad, India (3rd year CSE) Stack: Java 17 · Spring Boot · Spring Security · JWT · JPA/Hibernate · MySQL · React GitHub: GitHub - 0-YuvrajSingh/medvault: Patient record management & appointment scheduling platform with JWT auth, RBAC, and AOP audit logging · GitHub

I’ve completed internships at IBM and Infosys Springboard focused on REST API development and endpoint security. My project MedVault is a healthcare platform with Spring Security-based RBAC, JWT auth, and AOP audit logging.

Project: Password Authentication Re-work

Problem Statement

OpenMRS’s password system hasn’t been updated since ~2009. It lacks:

Configurable work factors / hash iterations
Support for modern algorithms (BCrypt, Argon2)
Integration with Spring Security’s PasswordEncoder abstraction
A safe upgrade path for existing hashed passwords

Proposed Solution

Audit current password handling in UserServiceImpl
Migrate to Spring Security PasswordEncoder (BCrypt default)
Implement transparent re-hashing on successful login
Optionally: build on top of the existing authentication module for TOTP/MFA readiness
Full test coverage — no existing user should be locked out

Timeline (12 weeks)

Week 1-2: Community bonding, codebase audit, JIRA setup
Week 3-4: Design doc, community review, finalize approach
Week 5-7: Core PasswordEncoder migration + unit tests
Week 8-9: Transparent upgrade mechanism + integration tests
Week 10-11: Migration safety testing, edge cases, docs
Week 12: Final polish, PR review, submission

Why Me

Spring Security is my primary domain. I’ve implemented JWT pipelines, secured 10+ endpoints with role-based access, and dealt with auth upgrade paths in production-like environments.

Questions for the Community

Is there an existing JIRA ticket or prior discussion on this I should link?
Should this be scoped as small (~90h) or medium (~175h)?
What good-first-issue would you recommend to get started before March 28?

@jayasanka @ibacher — any guidance welcome!

wedson · March 22, 2026, 3:11pm

Hay is this your GSoC proposa?

yuvrajsingh · March 22, 2026, 4:10pm

Hi @wedson! No, this isn’t the proposal itself — this is my introduction post to connect with the OpenMRS community and find a mentor before the application period closes.

The actual GSoC proposal will be submitted on the official Google Summer of Code portal (summerofcode.withgoogle.com) before the deadline. I’m currently working on the full proposal draft for the “Password Authentication Re-work” project.

Happy to share more details about the idea if you’re interested!

wedson · March 22, 2026, 7:37pm

ohh cool ……thank you, Actually I asked thinking It was your proposal and yet it should be private you and your mentor

katoelvis · March 25, 2026, 7:39am

Hello @yuvrajsingh , this is not where we write the proposal, currently we have a templet to follow, and you can find it over here

yuvrajsingh · March 25, 2026, 11:22am

Thanks Elvis! I found the template and I’m working through it now. Quick q: should the “Problem Statement” section reference the OpenMRS documentation you linked, or do you want proof-of-concept code showing the current auth flow first?

yuvrajsingh · March 27, 2026, 6:43pm

Hi @Emmanuel Nyachoke — I saw you’re the assigned mentor for the Password Authentication Re-work idea this year and wanted to reach out directly before the submission deadline (March 31).

I’ve been working on this project for a few weeks and have already built a working PoC:

PR #5970 — DelegatingPasswordEncoder integration with BCrypt as default + legacy SHA-512 fallback + transparent re-hashing on login: PoC: PasswordEncoder migration using DelegatingPasswordEncoder by 0-YuvrajSingh · Pull Request #5970 · openmrs/openmrs-core · GitHub

My other OpenMRS contribution: PR #5959 — Performance fix in EncounterServiceImpl (replaced slow Lucene-based getPatients() with getPatientIdentifiers()): TRUNK-5362: Fix extreme slowness in getEncountersByPatientIdentifier … by 0-YuvrajSingh · Pull Request #5959 · openmrs/openmrs-core · GitHub

I have a full proposal draft ready following the official template. A few quick questions if you have a moment:

Do you prefer the project scoped as medium (~175h) — full Spring Security rework — or small (~90h) — targeted update only?
Is there an existing JIRA ticket I should reference for this idea?
Any specific edge cases or constraints I should address in the proposal?

Happy to share the full draft for your review. Thanks for your time!

— Yuvraj Singh GitHub: 0-YuvrajSingh (Yuvraj Singh) · GitHub Talk: Profile - yuvrajsingh - OpenMRS Talk