Make secrets more secret

1 files changed, 18 insertions, 18 deletions

diff --git a/src/services/crypto.rs b/src/services/crypto.rs
index 580e83a..7ad2ce0 100644
--- a/src/services/crypto.rs
+++ b/src/services/crypto.rs
@@ -3,24 +3,23 @@ use std::hash::Hash;
 use argon2::{hash_raw, verify_raw};
 use exun::RawUnexpected;
 
-/// A custom pepper used to hide passwords
-static PEPPER: [u8; 16] = [
-	0x98, 0x7f, 0x6f, 0xce, 0x20, 0x76, 0x2c, 0x8a, 0xae, 0xf6, 0xee, 0x45, 0xb3, 0x6b, 0x1f, 0x69,
-];
+use crate::services::secrets::pepper;
 
 /// The configuration used for hashing and verifying passwords
-static CONFIG: argon2::Config<'_> = argon2::Config {
-	hash_length: 32,
-	lanes: 4,
-	mem_cost: 5333,
-	time_cost: 4,
-	secret: &PEPPER,
+fn config<'a>(pepper: &'a [u8]) -> argon2::Config<'a> {
+	argon2::Config {
+		hash_length: 32,
+		lanes: 4,
+		mem_cost: 5333,
+		time_cost: 4,
+		secret: pepper,
 
-	ad: &[],
-	thread_mode: argon2::ThreadMode::Sequential,
-	variant: argon2::Variant::Argon2i,
-	version: argon2::Version::Version13,
-};
+		ad: &[],
+		thread_mode: argon2::ThreadMode::Sequential,
+		variant: argon2::Variant::Argon2i,
+		version: argon2::Version::Version13,
+	}
+}
 
 /// A password hash and salt for a user
 #[derive(Debug, Clone, PartialEq, Eq)]
@@ -43,8 +42,8 @@ impl PasswordHash {
 
 		let salt: [u8; 16] = rand::random();
 		let salt = Box::from(salt);
-
-		let hash = hash_raw(password, &salt, &CONFIG)?.into_boxed_slice();
+		let pepper = pepper()?;
+		let hash = hash_raw(password, &salt, &config(&pepper))?.into_boxed_slice();
 
 		Ok(Self {
 			hash,
@@ -78,11 +77,12 @@ impl PasswordHash {
 
 	/// Check if the given password is the one that was hashed
 	pub fn check_password(&self, password: &str) -> Result<bool, RawUnexpected> {
+		let pepper = pepper()?;
 		Ok(verify_raw(
 			password.as_bytes(),
 			&self.salt,
 			&self.hash,
-			&CONFIG,
+			&config(&pepper),
 		)?)
 	}
 }