Salt to user table

Cargo.toml

@@ -35,6 +35,7 @@ serde_json = "1.0"
 uuid = { version = "0.7", features = ["serde", "v4"] }
 validator = "0.8.0"
 validator_derive = "0.8.0"
+rand = "0.7.3"
 
 [dev-dependencies]
 actix-http-test = "0.2.0"

migrations/2020-04-27-193614_add_user_salt/down.sql

@@ -0,0 +1,3 @@
+-- This file should undo anything in `up.sql`
+ALTER TABLE users
+    DROP COLUMN salt;

migrations/2020-04-27-193614_add_user_salt/up.sql

@@ -0,0 +1,3 @@
+-- Your SQL goes here
+ALTER TABLE users
+    ADD COLUMN salt VARCHAR(36) NOT NULL DEFAULT '' AFTER password;

src/auth.rs

@@ -46,8 +46,9 @@ pub fn decode_jwt(token: &str) -> Result<PrivateClaim, ApiError> {
 ///
 /// Uses the argon2i algorithm.
 /// auth_salt is environment-configured.
-pub fn hash(password: &str) -> String {
-    argon2i_simple(&password, &CONFIG.auth_salt)
+pub fn hash(password: &str, salt: &String) -> String {
+    let masked = mask_str(&salt, &CONFIG.auth_salt);
+    argon2i_simple(&password, &masked)
         .iter()
         .map(|b| format!("{:02x}", b))
         .collect()
@@ -63,23 +64,47 @@ pub fn get_identity_service() -> IdentityService<CookieIdentityPolicy> {
     )
 }
 
+
+/// Mask one string with another. Used for combining salts.
+fn mask_str(str: &String, mask : &String) -> String{
+    let mut strb = str.clone().into_bytes();
+    let maskb = mask.clone().into_bytes();
+    let str_len = strb.len();
+    let mask_len = maskb.len();
+    let mut i = 0;
+    let mut m = 0;
+    while i < str_len{
+        if m >= mask_len {
+            m = 0;
+        }
+        strb[i] = (strb[i].wrapping_add(maskb[m])) % 128;
+        i += 1;
+        m+= 1;
+    }
+    return String::from_utf8(strb).unwrap();
+}
+
 #[cfg(test)]
 pub mod tests {
     use super::*;
+    use rand::{thread_rng, Rng};
+    use rand::distributions::Alphanumeric;
     static EMAIL: &str = "[email protected]";
 
     #[test]
     fn it_hashes_a_password() {
         let password = "password";
-        let hashed = hash(password);
+        let salt = thread_rng().sample_iter(&Alphanumeric).take(32).collect::<String>();
+        let hashed = hash(password, &salt);
         assert_ne!(password, hashed);
     }
 
     #[test]
     fn it_matches_2_hashed_passwords() {
         let password = "password";
-        let hashed = hash(password);
-        let hashed_again = hash(password);
+        let salt = thread_rng().sample_iter(&Alphanumeric).take(32).collect::<String>();
+        let hashed = hash(password, &salt);
+        let hashed_again = hash(password, &salt);
         assert_eq!(hashed, hashed_again);
     }
 
@@ -97,4 +122,13 @@ pub mod tests {
         let decoded = decode_jwt(&jwt).unwrap();
         assert_eq!(private_claim, decoded);
     }
+
+
+    #[test]
+    fn it_masks_a_string() {
+        let salt = "salt1salt2salt3".to_string();
+        let mask = "mask52632".to_string();
+        let masked = mask_str(&salt, &mask);
+        assert_ne!(masked, "".to_string());
+    }
 }

src/handlers/auth.rs

@@ -1,4 +1,4 @@
-use crate::auth::{create_jwt, hash, PrivateClaim};
+use crate::auth::{create_jwt, PrivateClaim};
 use crate::database::PoolType;
 use crate::errors::ApiError;
 use crate::handlers::user::UserResponse;
@@ -31,9 +31,8 @@ pub async fn login(
 ) -> Result<Json<UserResponse>, ApiError> {
     validate(&params)?;
 
-    // Validate that the email + hashed password matches
-    let hashed = hash(&params.password);
-    let user = block(move || find_by_auth(&pool, &params.email, &hashed)).await?;
+    // Validate that the email + password matches
+    let user = block(move || find_by_auth(&pool, &params.email, &params.password)).await?;
 
     // Create a JWT
     let private_claim = PrivateClaim::new(user.id, user.email.clone());

src/models/user.rs

@@ -3,6 +3,8 @@ use crate::database::PoolType;
 use crate::errors::ApiError;
 use crate::handlers::user::{UserResponse, UsersResponse};
 use crate::schema::users;
+use rand::{thread_rng, Rng};
+use rand::distributions::Alphanumeric;
 use chrono::{NaiveDateTime, Utc};
 use diesel::prelude::*;
 use uuid::Uuid;
@@ -14,6 +16,7 @@ pub struct User {
     pub last_name: String,
     pub email: String,
     pub password: String,
+    pub salt: String,
     pub created_by: String,
     pub created_at: NaiveDateTime,
     pub updated_by: String,
@@ -78,15 +81,20 @@ pub fn find_by_auth(
     user_email: &str,
     user_password: &str,
 ) -> Result<UserResponse, ApiError> {
-    use crate::schema::users::dsl::{email, password, users};
+    use crate::schema::users::dsl::{email, users};
 
     let conn = pool.get()?;
     let user = users
         .filter(email.eq(user_email.to_string()))
-        .filter(password.eq(user_password.to_string()))
         .first::<User>(&conn)
         .map_err(|_| ApiError::Unauthorized("Invalid login".into()))?;
-    Ok(user.into())
+    let hashed = hash(user_password,&user.salt);
+    if hashed.eq(&user.password) {
+        Ok(user.into())
+    } else {
+        Err(ApiError::Unauthorized("Invalid login".into()))
+    }
+
 }
 
 /// Create a new user
@@ -123,12 +131,14 @@ pub fn delete(pool: &PoolType, user_id: Uuid) -> Result<(), ApiError> {
 
 impl From<NewUser> for User {
     fn from(user: NewUser) -> Self {
+        let salt = thread_rng().sample_iter(&Alphanumeric).take(32).collect::<String>();
         User {
             id: user.id,
             first_name: user.first_name,
             last_name: user.last_name,
             email: user.email,
-            password: hash(&user.password),
+            password: hash(&user.password,&salt),
+            salt: salt,
             created_by: user.created_by,
             created_at: Utc::now().naive_utc(),
             updated_by: user.updated_by,

src/schema.rs

@@ -5,6 +5,7 @@ table! {
         last_name -> Varchar,
         email -> Varchar,
         password -> Varchar,
+        salt -> Varchar,
         created_by -> Varchar,
         created_at -> Timestamp,
         updated_by -> Varchar,