1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
use crate::schema::users;
use argon2;
use diesel::{prelude::*, PgConnection};
use rand::Rng;
use serde::Deserialize;
#[derive(Debug, Deserialize)]
pub struct Credentials<'a> {
pub username: &'a str,
pub password: &'a str,
}
#[derive(Insertable)]
#[table_name = "users"]
pub struct NewUser<'a> {
pub username: &'a str,
pub password_hash: &'a [u8],
pub password_salt: &'a [u8],
}
#[derive(Queryable, Debug)]
pub struct User {
pub id: i32,
pub username: String,
pub password_salt: Vec<u8>,
pub password_hash: Vec<u8>,
}
// TODO: make this configurable somewhere
fn argon2_config() -> argon2::Config<'static> {
argon2::Config {
variant: argon2::Variant::Argon2i,
version: argon2::Version::Version13,
mem_cost: 4096,
time_cost: 3,
lanes: 1,
thread_mode: argon2::ThreadMode::Sequential,
// TODO: set a secret
secret: &[],
ad: &[],
hash_length: 32,
}
}
pub fn create_user(credentials: &Credentials, conn: &PgConnection) -> QueryResult<User> {
let argon_config = argon2_config();
let salt: [u8; 32] = rand::thread_rng().gen();
let hash = argon2::hash_raw(credentials.password.as_bytes(), &salt, &argon_config).unwrap();
let new_user = NewUser {
username: credentials.username,
password_salt: &salt,
password_hash: &hash,
};
diesel::insert_into(users::table)
.values(&new_user)
.get_result::<User>(conn)
}
pub fn authenticate_user(credentials: &Credentials, db_conn: &PgConnection) -> Option<User> {
users::table
.filter(users::username.eq(&credentials.username))
.first::<User>(db_conn)
.optional()
.unwrap()
.and_then(|user| {
let password_matches = argon2::verify_raw(
credentials.password.as_bytes(),
&user.password_salt,
&user.password_hash,
&argon2_config(),
)
.unwrap();
if password_matches {
Some(user)
} else {
None
}
})
}
#[test]
fn test_argon() {
let credentials = Credentials {
username: "piepkonijn",
password: "geheim123",
};
let argon_config = argon2_config();
let salt: [u8; 32] = rand::thread_rng().gen();
let hash = argon2::hash_raw(credentials.password.as_bytes(), &salt, &argon_config).unwrap();
let new_user = NewUser {
username: credentials.username,
password_hash: &hash,
password_salt: &salt,
};
let password_matches = argon2::verify_raw(
credentials.password.as_bytes(),
new_user.password_salt,
new_user.password_hash,
&argon2_config(),
)
.unwrap();
assert!(password_matches);
}
|