diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/main.rs | 3 | ||||
| -rw-r--r-- | src/services/crypto.rs | 36 | ||||
| -rw-r--r-- | src/services/db.rs | 5 | ||||
| -rw-r--r-- | src/services/mod.rs | 1 | ||||
| -rw-r--r-- | src/services/secrets.rs | 13 |
5 files changed, 36 insertions, 22 deletions
diff --git a/src/main.rs b/src/main.rs index dff3f3f..d454a8c 100644 --- a/src/main.rs +++ b/src/main.rs @@ -9,7 +9,8 @@ use services::*; #[actix_web::main] async fn main() -> Result<(), RawUnexpected> { - let sql_pool = db::initialize("password_database", "dbuser", "Demo1234").await?; + let db_url = secrets::database_url()?; + let sql_pool = db::initialize(&db_url).await?; HttpServer::new(move || { App::new() diff --git a/src/services/crypto.rs b/src/services/crypto.rs index 580e83a..7ad2ce0 100644 --- a/src/services/crypto.rs +++ b/src/services/crypto.rs @@ -3,24 +3,23 @@ use std::hash::Hash; use argon2::{hash_raw, verify_raw}; use exun::RawUnexpected; -/// A custom pepper used to hide passwords -static PEPPER: [u8; 16] = [ - 0x98, 0x7f, 0x6f, 0xce, 0x20, 0x76, 0x2c, 0x8a, 0xae, 0xf6, 0xee, 0x45, 0xb3, 0x6b, 0x1f, 0x69, -]; +use crate::services::secrets::pepper; /// The configuration used for hashing and verifying passwords -static CONFIG: argon2::Config<'_> = argon2::Config { - hash_length: 32, - lanes: 4, - mem_cost: 5333, - time_cost: 4, - secret: &PEPPER, +fn config<'a>(pepper: &'a [u8]) -> argon2::Config<'a> { + argon2::Config { + hash_length: 32, + lanes: 4, + mem_cost: 5333, + time_cost: 4, + secret: pepper, - ad: &[], - thread_mode: argon2::ThreadMode::Sequential, - variant: argon2::Variant::Argon2i, - version: argon2::Version::Version13, -}; + ad: &[], + thread_mode: argon2::ThreadMode::Sequential, + variant: argon2::Variant::Argon2i, + version: argon2::Version::Version13, + } +} /// A password hash and salt for a user #[derive(Debug, Clone, PartialEq, Eq)] @@ -43,8 +42,8 @@ impl PasswordHash { let salt: [u8; 16] = rand::random(); let salt = Box::from(salt); - - let hash = hash_raw(password, &salt, &CONFIG)?.into_boxed_slice(); + let pepper = pepper()?; + let hash = hash_raw(password, &salt, &config(&pepper))?.into_boxed_slice(); Ok(Self { hash, @@ -78,11 +77,12 @@ impl PasswordHash { /// Check if the given password is the one that was hashed pub fn check_password(&self, password: &str) -> Result<bool, RawUnexpected> { + let pepper = pepper()?; Ok(verify_raw( password.as_bytes(), &self.salt, &self.hash, - &CONFIG, + &config(&pepper), )?) } } diff --git a/src/services/db.rs b/src/services/db.rs index 80335c4..b24c640 100644 --- a/src/services/db.rs +++ b/src/services/db.rs @@ -33,9 +33,8 @@ impl TryFrom<UserRow> for User { } /// Intialize the connection pool -pub async fn initialize(db: &str, user: &str, password: &str) -> Result<MySqlPool, RawUnexpected> { - let url = format!("mysql://{user}:{password}@localhost/{db}"); - MySqlPool::connect(&url).await.unexpect() +pub async fn initialize(db_url: &str) -> Result<MySqlPool, RawUnexpected> { + MySqlPool::connect(db_url).await.unexpect() } pub async fn user_id_exists<'c>( diff --git a/src/services/mod.rs b/src/services/mod.rs index 57146d8..09d2159 100644 --- a/src/services/mod.rs +++ b/src/services/mod.rs @@ -1,3 +1,4 @@ pub mod crypto; pub mod db; pub mod id; +pub mod secrets; diff --git a/src/services/secrets.rs b/src/services/secrets.rs new file mode 100644 index 0000000..e4a1ca1 --- /dev/null +++ b/src/services/secrets.rs @@ -0,0 +1,13 @@ +use std::env; + +use exun::*; + +pub fn pepper() -> Result<Box<[u8]>, RawUnexpected> { + let pepper = env::var("SECRET_SALT")?; + let pepper = hex::decode(pepper)?; + Ok(pepper.into_boxed_slice()) +} + +pub fn database_url() -> Result<String, RawUnexpected> { + env::var("DATABASE_URL").unexpect() +} |