scrypt passwords before srp
scrypt passwords to protect them before using them to create the verification code or use them to authenticate.
Right now when we register we send to the provider the verification code and the salt, that the provider sends back to be able to do the SRP login. We'll need to extend it with a kdf (key derivation function) document that the provider stores and returns as it is. This document for scrypt will contain:
{ "algorithm": "scrypt", "salt": ....., }
The salts of scrypt and srp need to be different, as the salt of srp is derived from the username/password.
In case of receiving a kdf = null the client will do srp without any modifications to the key.
We'll need or to bump the API version number or to have a way for the provider to notify that the kdf document is supported.
(from redmine: created on 2016-04-30)