diff --git a/src/users/auth/implementation.rs b/src/users/auth/implementation.rs index cc93bb1..c7a2a29 100644 --- a/src/users/auth/implementation.rs +++ b/src/users/auth/implementation.rs @@ -15,8 +15,8 @@ use crate::{ users::{ User, auth::{ - AuthError, COOKIE_NAME, TokenSize, UserAuthRequired, UserAuthenticate, - UserPasswordHashing, + AuthError, COOKIE_NAME, TokenSize, UserAuthDummyData, UserAuthRequired, + UserAuthenticate, UserPasswordHashing, }, sessions::Session, }, @@ -81,6 +81,15 @@ impl UserPasswordHashing for User { } } +// TODO: generate these at startup using predefined Argon2 params if +// these ever change from ::Default - the PHC must have the same factors as real hashes. +impl UserAuthDummyData for User { + /// This PHC generated for b"password" + const DUMMY_PASSWORD_PHC: &str = "$argon2id$v=19$m=19456,t=2,p=1$PXcTKpFhLRB70fVF35XYDQ$QOW2IxdPUvqD38+ScqX5SgO+jwweaMO9DUGqmkTeofQ"; + /// Different than the input password of the PHC + const DUMMY_PASSWORD: &str = "different_password"; +} + impl From for AuthError { fn from(err: argon2::password_hash::Error) -> Self { AuthError::PassHashError(err) @@ -175,7 +184,10 @@ fn authenticate_basic(credentials: &str) -> Result, AuthError> { true => Ok(Some(User::get_by_id(id)?)), false => Err(AuthError::InvalidCredentials), }, - _ => Err(AuthError::InvalidCredentials), + _ => { + let _ = User::match_hash_password(User::DUMMY_PASSWORD, User::DUMMY_PASSWORD_PHC)?; + Err(AuthError::InvalidCredentials) + } } } diff --git a/src/users/auth/mod.rs b/src/users/auth/mod.rs index d7841f1..f22b43a 100644 --- a/src/users/auth/mod.rs +++ b/src/users/auth/mod.rs @@ -20,6 +20,10 @@ pub trait UserPasswordHashing { /// Returns whether the password matches the hash fn match_hash_password(passw: &str, hash: &str) -> Result; } +pub trait UserAuthDummyData { + const DUMMY_PASSWORD_PHC: &str; + const DUMMY_PASSWORD: &str; +} #[derive(thiserror::Error, Debug)] pub enum AuthError {