feat: password hashing using argon2

link-for-later/Cargo.toml

@@ -7,6 +7,7 @@ repository = "https://github.com/kentSarmiento/link-for-later-service"
 publish = false
 
 [dependencies]
+argon2 = "0.5.2"
 axum = "0.7.2"
 axum-extra = { version = "0.9.0", default-features = false, features=["typed-header"] }
 bson = "2.8.1"

link-for-later/src/service/users.rs

@@ -1,3 +1,7 @@
+use argon2::{
+    password_hash::{rand_core::OsRng, PasswordHash, PasswordHasher, PasswordVerifier, SaltString},
+    Argon2,
+};
 use axum::async_trait;
 use chrono::{DateTime, Duration, Utc};
 use jsonwebtoken::{encode, EncodingKey, Header};
@@ -33,8 +37,16 @@ impl UsersService for ServiceProvider {
         };
 
         let now = Utc::now().to_rfc3339();
-        // TODO: secure password
-        let registered_user_info = UserInfoBuilder::from(user_info.clone())
+
+        let password_hash = Argon2::default()
+            .hash_password(
+                user_info.password().as_bytes(),
+                &SaltString::generate(&mut OsRng),
+            )
+            .map_err(|e| AppError::ServerError(format!("hash_password() {e:?}")))?
+            .to_string();
+
+        let registered_user_info = UserInfoBuilder::new(user_info.email(), &password_hash)
             .created_at(&now)
             .updated_at(&now)
             .verified(true)
@@ -51,9 +63,11 @@ impl UsersService for ServiceProvider {
         let user_query = UserQueryBuilder::new(user_info.email()).build();
         let retrieved_user_info = users_repo.get(&user_query).await?;
 
-        if retrieved_user_info.password() != user_info.password() {
-            return Err(AppError::IncorrectPassword(user_info.email().to_owned()));
-        }
+        let parsed_hash = PasswordHash::new(retrieved_user_info.password())
+            .map_err(|e| AppError::ServerError(format!("PasswordHash::new() {e:?}")))?;
+        Argon2::default()
+            .verify_password(user_info.password().as_bytes(), &parsed_hash)
+            .map_err(|_| AppError::IncorrectPassword(user_info.email().to_owned()))?;
 
         let timestamp = |timestamp: DateTime<Utc>| -> Result<usize> {
             let timestamp: usize = timestamp
@@ -199,9 +213,14 @@ mod tests {
     async fn test_login_user() {
         let repo_query = UserQueryBuilder::new("[email protected]").build();
         let user_to_login = UserInfoBuilder::new("[email protected]", "test").build();
-        let registered_user = UserInfoBuilder::new("[email protected]", "test").build();
         let request_item = user_to_login.clone();
 
+        let password_hash = Argon2::default()
+            .hash_password(b"test", &SaltString::generate(&mut OsRng))
+            .unwrap()
+            .to_string();
+        let registered_user = UserInfoBuilder::new("[email protected]", &password_hash).build();
+
         let mut mock_users_repo = MockUsersRepo::new();
         mock_users_repo
             .expect_get()
@@ -245,9 +264,14 @@ mod tests {
     async fn test_login_user_incorrect_password() {
         let repo_query = UserQueryBuilder::new("[email protected]").build();
         let user_to_login = UserInfoBuilder::new("[email protected]", "incorrect").build();
-        let registered_user = UserInfoBuilder::new("[email protected]", "test").build();
         let request_item = user_to_login.clone();
 
+        let password_hash = Argon2::default()
+            .hash_password(b"test", &SaltString::generate(&mut OsRng))
+            .unwrap()
+            .to_string();
+        let registered_user = UserInfoBuilder::new("[email protected]", &password_hash).build();
+
         let mut mock_users_repo = MockUsersRepo::new();
         mock_users_repo
             .expect_get()

link-for-later/tests/users.rs

@@ -1,3 +1,7 @@
+use argon2::{
+    password_hash::{rand_core::OsRng, PasswordHasher, SaltString},
+    Argon2,
+};
 use axum::{
     body::Body,
     http::{Request, StatusCode},
@@ -49,7 +53,7 @@ async fn test_register_user(#[values(DatabaseType::MongoDb)] db_type: DatabaseTy
 
     let db_item = repository.get_user("[email protected]").await;
     assert!(db_item.email == "[email protected]");
-    assert!(db_item.password == "test");
+    assert!(db_item.password != "test");
 }
 
 #[rstest]
@@ -132,7 +136,12 @@ async fn test_register_user_already_registered(
 async fn test_login_user(#[values(DatabaseType::MongoDb)] db_type: DatabaseType) {
     let repository = repository::new(&db_type);
 
-    repository.add_user("[email protected]", "test").await;
+    let password_hash = Argon2::default()
+        .hash_password(b"test", &SaltString::generate(&mut OsRng))
+        .unwrap()
+        .to_string();
+    repository.add_user("[email protected]", &password_hash).await;
+
     let request = r#"{
         "email": "[email protected]",
         "password": "test"
@@ -196,7 +205,12 @@ async fn test_login_user_invalid_email(#[values(DatabaseType::MongoDb)] db_type:
 async fn test_login_user_not_found(#[values(DatabaseType::MongoDb)] db_type: DatabaseType) {
     let repository = repository::new(&db_type);
 
-    repository.add_user("[email protected]", "test").await;
+    let password_hash = Argon2::default()
+        .hash_password(b"test", &SaltString::generate(&mut OsRng))
+        .unwrap()
+        .to_string();
+    repository.add_user("[email protected]", &password_hash).await;
+
     let request = r#"{
         "email": "[email protected]",
         "password": "test"
@@ -230,7 +244,12 @@ async fn test_login_user_incorrect_password(
 ) {
     let repository = repository::new(&db_type);
 
-    repository.add_user("[email protected]", "test").await;
+    let password_hash = Argon2::default()
+        .hash_password(b"test", &SaltString::generate(&mut OsRng))
+        .unwrap()
+        .to_string();
+    repository.add_user("[email protected]", &password_hash).await;
+
     let request = r#"{
         "email": "[email protected]",
         "password": "incorrect"