Currently any existing user will create a session regardless of password

[farmeroy]

https://github.com/joshua-mo-143/nodeshuttle-example/blob/1c37bbce8fc4898cce48e13cec8778f276b65b71/backend/src/router.rs#L120C1-L122C14

First of all, I really appreciate this example app, I used it to help set up my own Next.js/Axum project. However, while working on my project I noticed that they way that the password is verified here with bcrypt results in any valid user being granted a session, even if the passwords don't match.
It seems to be that bcrypt::verify returns a result, which here is left wrapped - so unless there is an error when you try to compare the hashed passwords, the session is created. I would suggest changing the code to something like:

        if bcrypt::verify(password, res.get("password")).unwrap() == false {
            println!("Unauthorized");
            return Err(Error::RowNotFound);
        }

I mean, maybe unwrap() is not the right call, but this at least ensures that if the hashed passwords don't match, a session will not be created

[joshua-mo-143]

Heya - this was actually updated in the official Shuttle Examples repository but I haven't managed to get around to updating my own repository since. I'll have a quick look and fix it

[farmeroy]

Ah ok. So I was reading this article of yours: https://joshmo.hashnode.dev/nextjs-and-rust-an-innovative-approach-to-full-stack-development which also contains this problem, maybe check that out as well