From 2e3750121ad43ab07354e08aace3dd9e0bc8cd8a Mon Sep 17 00:00:00 2001 From: Xander Bil Date: Tue, 12 Nov 2024 20:45:22 +0100 Subject: [PATCH] hash passwords with argon --- Cargo.lock | 33 +++++++++++++++++++++++++++++++++ Cargo.toml | 1 + src/routes/user.rs | 16 ++++++++++++++-- 3 files changed, 48 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index cbc90fe..4894707 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -125,6 +125,18 @@ dependencies = [ "windows-sys 0.59.0", ] +[[package]] +name = "argon2" +version = "0.5.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3c3610892ee6e0cbce8ae2700349fcf8f98adb0dbfbee85aec3c9179d29cc072" +dependencies = [ + "base64ct", + "blake2", + "cpufeatures", + "password-hash", +] + [[package]] name = "arrayvec" version = "0.7.6" @@ -456,6 +468,15 @@ dependencies = [ "wyz", ] +[[package]] +name = "blake2" +version = "0.10.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "46502ad458c9a52b69d4d4d32775c788b7a1b85e8bc9d482d92250fc0e3f8efe" +dependencies = [ + "digest", +] + [[package]] name = "block-buffer" version = "0.10.4" @@ -1429,6 +1450,7 @@ dependencies = [ name = "mailauth" version = "0.1.0" dependencies = [ + "argon2", "axum", "axum-extra", "dotenvy", @@ -1736,6 +1758,17 @@ dependencies = [ "windows-targets 0.52.6", ] +[[package]] +name = "password-hash" +version = "0.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "346f04948ba92c43e8469c1ee6736c7563d71012b17d40745260fe106aac2166" +dependencies = [ + "base64ct", + "rand_core", + "subtle", +] + [[package]] name = "paste" version = "1.0.15" diff --git a/Cargo.toml b/Cargo.toml index 5ccb340..adaefa8 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -36,3 +36,4 @@ sea-orm = { version = "1.1.0", features = [ "sqlx-sqlite", "runtime-tokio-native migration = { path = "migration" } minijinja = "2.4.0" thiserror = "2.0.3" +argon2 = {version = "0.5.3", features = ["password-hash"]} diff --git a/src/routes/user.rs b/src/routes/user.rs index 72ef021..8bb3998 100644 --- a/src/routes/user.rs +++ b/src/routes/user.rs @@ -1,5 +1,9 @@ +use argon2::password_hash::SaltString; +use argon2::{Argon2, PasswordHasher}; use axum::Form; use axum::{extract::State, Extension}; +use rand::rngs::OsRng; +use reqwest::StatusCode; use sea_orm::{ActiveModelTrait, ActiveValue, ColumnTrait, EntityTrait, QueryFilter}; use serde::{Deserialize, Serialize}; @@ -22,16 +26,24 @@ pub async fn update_password( .one(&state.conn) .await?; + let salt = SaltString::generate(&mut OsRng); + let password = Argon2::default() + .hash_password(form.password.as_ref(), &salt) + .map_err(|e| ThisError::Generic { + code: StatusCode::INTERNAL_SERVER_ERROR, + message: e.to_string(), + })?; + match user_option { Some(user) => { let mut user: user::ActiveModel = user.into(); - user.password = ActiveValue::Set(form.password); + user.password = ActiveValue::Set(password.to_string()); user.update(&state.conn).await?; } None => { let user = user::ActiveModel { userid: ActiveValue::Set(session.name.to_owned()), - password: ActiveValue::Set(form.password), + password: ActiveValue::Set(password.to_string()), ..Default::default() }; user.insert(&state.conn).await?;