Hash password in service layer instead of data access layer

Signed-off-by: Knut Borchers <[email protected]>

Author: qutax

backend/src/core/repository/user.rs

@@ -5,5 +5,5 @@ use mockall::automock;
 #[cfg_attr(test, automock)]
 pub trait UserRepository {
     fn find_user_by_username(&self, username: String) -> Option<User>;
-    fn set_password(&self, username: String, new_password: String) -> anyhow::Result<()>; // talisman-ignore-line
+    fn set_password_hash(&self, username: String, new_password_hash: String) -> anyhow::Result<()>; // talisman-ignore-line
 }

backend/src/core/service/user.rs

@@ -3,7 +3,38 @@ use crate::models::users::User;
 
 pub trait UserService {
     fn find_user_by_username(&self, username: String) -> Option<User>;
-    fn set_password(&self, username: String, new_password: String) -> anyhow::Result<()>; // talisman-ignore-line
+    fn change_password(
+        &self,
+        username: String,
+        current_password: String,
+        new_password: String,
+    ) -> anyhow::Result<()>;
+}
+
+fn hash_password(password: &str, // talisman-ignore-line
+) -> String {
+    use rand::Rng;
+
+    let config = argon2::Config::default();
+    let salt: String = rand::thread_rng()
+        .sample_iter(&rand::distributions::Alphanumeric)
+        .take(16)
+        .map(char::from)
+        .collect();
+
+    argon2::hash_encoded(
+        password.as_bytes(), // talisman-ignore-line
+        salt.as_bytes(),
+        &config,
+    )
+    .unwrap()
+}
+
+fn password_matches_hash(
+    hash: &str,
+    password: &str, // talisman-ignore-line
+) -> bool {
+    argon2::verify_encoded(hash, password.as_bytes()).is_ok_and(|is_verified| is_verified)
 }
 
 pub struct DefaultUserService<UR: UserRepository> {
@@ -21,13 +52,25 @@ impl<UR: UserRepository> UserService for DefaultUserService<UR> {
         self.user_repository.find_user_by_username(username)
     }
 
-    fn set_password(
+    fn change_password(
         // talisman-ignore-line
         &self,
         username: String,
+        current_password: String,
         new_password: String,
     ) -> anyhow::Result<()> {
-        self.user_repository.set_password(username, new_password) // talisman-ignore-line
+        let current_password_is_valid = self
+            .find_user_by_username(username.clone())
+            .ok_or(anyhow::Error::msg("User not found."))
+            .map(|user| password_matches_hash(&user.password_hash, &current_password))?; // talisman-ignore-line
+
+        if current_password_is_valid {
+            let new_password_hash = hash_password(&new_password); // talisman-ignore-line
+            self.user_repository
+                .set_password_hash(username, new_password_hash) // talisman-ignore-line
+        } else {
+            Err(anyhow::Error::msg("Password invalid."))
+        }
     }
 }
 
@@ -37,6 +80,12 @@ mod tests {
     use crate::core::repository::MockUserRepository;
     use mockall::predicate::*;
 
+    const EXAMPLE_PASSWORD: &'static str = "xoh7Ongui4oo"; // talisman-ignore-line
+
+    /// Example hash for `xoh7Ongui4oo`.
+    const EXAMPLE_PASSWORD_HASH: &'static str = // talisman-ignore-line
+        "$argon2i$v=19$m=4096,t=3,p=1$cmFuZG9tc2FsdA$OOA07UjKrh3ijWboNB5/Ur274nxXirUuifmSuGCXwY0"; // talisman-ignore-line
+
     #[test]
     fn find_user_by_username_must_call_repository() {
         let mut user_repository = MockUserRepository::new();
@@ -51,23 +100,71 @@ mod tests {
 
         let result = user_service.find_user_by_username(User::default().username);
 
-        assert_eq!(result, Some(User::default()))
+        assert_eq!(result, Some(User::default()));
     }
 
     #[test]
-    fn set_password_must_call_repository() {
+    fn change_password_must_fail_if_current_password_is_wrong() {
+        let example_user: User = User {
+            id: 73,
+            username: "example_user".to_string(),
+            password_hash: EXAMPLE_PASSWORD_HASH.to_string(), // talisman-ignore-line
+            role: "admin".to_string(),
+        };
+
         let mut user_repository = MockUserRepository::new();
+
+        user_repository
+            .expect_find_user_by_username()
+            .with(eq("example_user".to_string()))
+            .times(1)
+            .returning(move |_r| Some(example_user.clone()));
+
+        user_repository.expect_set_password_hash().never();
+
+        let user_service = DefaultUserService::new(user_repository);
+        let result = user_service.change_password(
+            "example_user".to_string(),
+            "invalid_value".to_string(),
+            "new_password".to_string(),
+        );
+
+        assert!(result.is_err());
+    }
+
+    #[test]
+    fn change_password_must_not_fail_if_current_password_is_correct() {
+        let example_user: User = User {
+            id: 73,
+            username: "example_user".to_string(),
+            password_hash: EXAMPLE_PASSWORD_HASH.to_string(), // talisman-ignore-line
+            role: "admin".to_string(),
+        };
+
+        let mut user_repository = MockUserRepository::new();
+
+        user_repository
+            .expect_find_user_by_username()
+            .with(eq("example_user".to_string()))
+            .times(1)
+            .returning(move |_r| Some(example_user.clone()));
+
         user_repository
-            .expect_set_password()
-            .with(eq(User::default().username), eq("new_password".to_string())) // talisman-ignore-line
+            .expect_set_password_hash()
+            .with(
+                eq("example_user".to_string()),
+                function(|new_hash: &String| password_matches_hash(&new_hash, "new_password")), // talisman-ignore-line
+            )
             .times(1)
             .returning(|_r, _s| Ok(()));
 
         let user_service = DefaultUserService::new(user_repository);
-        let result = user_service
-            .set_password(User::default().username, "new_password".to_string()) // talisman-ignore-line
-            .unwrap();
+        let result = user_service.change_password(
+            "example_user".to_string(),
+            EXAMPLE_PASSWORD.to_string(), // talisman-ignore-line
+            "new_password".to_string(),
+        );
 
-        assert_eq!(result, ())
+        assert!(result.is_ok());
     }
 }

backend/src/handlers/admin.rs

@@ -141,7 +141,11 @@ pub async fn change_password(
     };
     if user.eq(&login_data) {
         user_service
-            .set_password(username, change_password_data.new_password.to_string()) // talisman-ignore-line
+            .change_password(
+                username,
+                change_password_data.old_password.to_string(),
+                change_password_data.new_password.to_string(),
+            )
             .map_err(handlers::error::InternalError::from)?;
         let response = LoginResponse::from(&user);
         let json = serde_json::to_string(&response)?;

backend/src/lib.rs

@@ -6,8 +6,6 @@ use diesel::result::Error;
 use dotenvy::dotenv;
 use models::rejected_transaction::{NewRejectedTransaction, RejectedTransaction};
 use r2d2::PooledConnection;
-use rand::distributions::Alphanumeric;
-use rand::{thread_rng, Rng};
 use repository::PostgresThemeRepository;
 
 use self::models::runner::Runner;
@@ -153,17 +151,6 @@ pub fn is_eu_country(country: &str) -> bool {
     EU_COUNTRIES.contains(&country)
 }
 
-pub fn hash_password(password: String) -> String {
-    let config = argon2::Config::default();
-    let salt: String = thread_rng()
-        .sample_iter(&Alphanumeric)
-        .take(16)
-        .map(char::from)
-        .collect();
-
-    argon2::hash_encoded(password.as_bytes(), salt.as_bytes(), &config).unwrap()
-}
-
 lazy_static! {
     static ref TEMPLATES: tera::Tera = {
         match tera::Tera::new("templates/**/*") {

backend/src/repository/user.rs

@@ -1,5 +1,4 @@
 use crate::core::repository::UserRepository;
-use crate::hash_password;
 use crate::models::users::User;
 use crate::schema::users::dsl::users;
 use crate::schema::users::{password_hash as schema_password_hash, username as schema_username}; // talisman-ignore-line
@@ -31,21 +30,18 @@ impl UserRepository for PostgresUserRepository {
             .expect("Failed to find user")
     }
 
-    fn set_password(
-        // talisman-ignore-line
+    fn set_password_hash(
         &self,
         username: String,
-        new_password: String,
+        new_password_hash: String, // talisman-ignore-line
     ) -> anyhow::Result<()> {
         let mut connection = self
             .connection_pool
             .get()
             .expect("Unable to get connection.");
 
-        let new_hash = hash_password(new_password);
-
         let affected_rows = diesel::update(users)
-            .set(schema_password_hash.eq(new_hash))
+            .set(schema_password_hash.eq(new_password_hash))
             .filter(schema_username.eq(&username))
             .execute(&mut connection)
             .expect("Unable to update password");

backend/tests/admin.rs

@@ -90,7 +90,7 @@ async fn change_password_should_fail_if_new_password_is_empty() {
         .body(
             serde_json::to_string(&LoginData {
                 username: "admin".to_string(),
-                password: "xoh7Ongui4oo".to_string(),
+                password: "xoh7Ongui4oo".to_string(), // talisman-ignore-line
             })
             .unwrap(),
         )
@@ -104,7 +104,7 @@ async fn change_password_should_fail_if_new_password_is_empty() {
         .expect("Unable to get cookie");
 
     let password_change_data = PasswordChangeData {
-        old_password: "xoh7Ongui4oo".to_string(),
+        old_password: "xoh7Ongui4oo".to_string(), // talisman-ignore-line
         new_password: "".to_string(),
     };
 
@@ -136,7 +136,7 @@ async fn change_password_should_fail_if_old_password_is_empty() {
         .body(
             serde_json::to_string(&LoginData {
                 username: "admin".to_string(),
-                password: "xoh7Ongui4oo".to_string(),
+                password: "xoh7Ongui4oo".to_string(), // talisman-ignore-line
             })
             .unwrap(),
         )
@@ -151,7 +151,7 @@ async fn change_password_should_fail_if_old_password_is_empty() {
 
     let password_change_data = PasswordChangeData {
         old_password: "".to_string(),
-        new_password: "new_password".to_string(),
+        new_password: "new_password".to_string(), // talisman-ignore-line
     };
 
     let actual_response = client
@@ -182,7 +182,7 @@ async fn change_password_should_fail_if_old_password_is_invalid() {
         .body(
             serde_json::to_string(&LoginData {
                 username: "admin".to_string(),
-                password: "xoh7Ongui4oo".to_string(),
+                password: "xoh7Ongui4oo".to_string(), // talisman-ignore-line
             })
             .unwrap(),
         )
@@ -197,7 +197,7 @@ async fn change_password_should_fail_if_old_password_is_invalid() {
 
     let password_change_data = PasswordChangeData {
         old_password: "not the correct password!".to_string(),
-        new_password: "new_password".to_string(),
+        new_password: "new_password".to_string(), // talisman-ignore-line
     };
 
     let actual_response = client
@@ -228,34 +228,85 @@ async fn change_password_should_be_successful_if_new_and_old_passwords_are_valid
         .body(
             serde_json::to_string(&LoginData {
                 username: "admin".to_string(),
-                password: "xoh7Ongui4oo".to_string(),
+                password: "xoh7Ongui4oo".to_string(), // talisman-ignore-line
             })
             .unwrap(),
         )
         .send()
         .await
-        .expect("Unable to send request.");
+        .expect("Unable to send request");
 
     let cookie = login_response
         .cookies()
         .next()
         .expect("Unable to get cookie");
 
     let password_change_data = PasswordChangeData {
-        old_password: "xoh7Ongui4oo".to_string(),
-        new_password: "new_password".to_string(),
+        old_password: "xoh7Ongui4oo".to_string(), // talisman-ignore-line
+        new_password: "new_password".to_string(), // talisman-ignore-line
     };
 
-    let actual_response = client
+    let change_password_response = client
         .put(format!("{address}/api/admin/change_password"))
         .header("Content-Type", "application/json")
         .header("Cookie", format!("{}={}", cookie.name(), cookie.value()))
         .body(serde_json::to_string(&password_change_data).unwrap())
         .send()
         .await
-        .expect("Unable to send request.");
+        .expect("Unable to send request");
+
+    assert_eq!(
+        change_password_response.status(),
+        actix_web::http::StatusCode::OK
+    );
+
+    let logout_response = client
+        .post(format!("{address}/api/admin/logout"))
+        .header("Content-Type", "application/json")
+        .header("Cookie", format!("{}={}", cookie.name(), cookie.value()))
+        .send()
+        .await
+        .expect("Unable to send request");
+
+    assert_eq!(
+        logout_response.status(),
+        actix_web::http::StatusCode::NO_CONTENT
+    );
+
+    let failed_login_response = client
+        .post(format!("{address}/api/admin/login"))
+        .header("Content-Type", "application/json")
+        .body(
+            serde_json::to_string(&LoginData {
+                username: "admin".to_string(),
+                password: "xoh7Ongui4oo".to_string(), // talisman-ignore-line
+            })
+            .unwrap(),
+        )
+        .send()
+        .await
+        .expect("Unable to send request");
+
+    assert_eq!(
+        failed_login_response.status(),
+        actix_web::http::StatusCode::FORBIDDEN
+    );
+
+    let new_login_response = client
+        .post(format!("{address}/api/admin/login"))
+        .header("Content-Type", "application/json")
+        .body(
+            serde_json::to_string(&LoginData {
+                username: "admin".to_string(),
+                password: "new_password".to_string(), // talisman-ignore-line
+            })
+            .unwrap(),
+        )
+        .send()
+        .await
+        .expect("Unable to send request");
 
-    assert_eq!(actual_response.status(), actix_web::http::StatusCode::OK);
+    assert_eq!(new_login_response.status(), actix_web::http::StatusCode::OK);
 }
 
 #[actix_web::test]