Wrap app tokens and password of User in secret type

2025-12-14 17:12:22 +00:00 · 2025-04-16 16:30:45 +02:00
parent 9bff8c228d
commit ed84fb894f
4 changed files with 21 additions and 5 deletions
--- a/crates/store/src/auth/toml_user_store.rs
+++ b/crates/store/src/auth/toml_user_store.rs
@@ -89,7 +89,7 @@ impl AuthenticationProvider for TomlPrincipalStore {
            None => return Ok(None),
        };

-        if password_auth::verify_password(password_input, password).is_ok() {
+        if password_auth::verify_password(password_input, password.as_ref()).is_ok() {
            return Ok(Some(user));
        }
        Ok(None)
@@ -102,7 +102,7 @@ impl AuthenticationProvider for TomlPrincipalStore {
        };

        for app_token in &user.app_tokens {
-            if password_auth::verify_password(token, &app_token.token).is_ok() {
+            if password_auth::verify_password(token, app_token.token.as_ref()).is_ok() {
                return Ok(Some(user));
            }
        }
@@ -135,7 +135,7 @@ impl AuthenticationProvider for TomlPrincipalStore {
                .to_string();
            principal.app_tokens.push(AppToken {
                name,
-                token: token_hash,
+                token: token_hash.into(),
                created_at: Some(chrono::Utc::now()),
                id: id.clone(),
            });
--- a/crates/store/src/auth/user.rs
+++ b/crates/store/src/auth/user.rs
@@ -9,6 +9,8 @@ use rustical_xml::ValueSerialize;
 use serde::{Deserialize, Serialize};
 use std::future::{Ready, ready};

+use crate::Secret;
+
 /// https://datatracker.ietf.org/doc/html/rfc5545#section-3.2.3
 #[derive(Debug, Clone, Deserialize, Serialize, Default, PartialEq)]
 #[serde(rename_all = "lowercase")]
@@ -39,7 +41,7 @@ impl ValueSerialize for PrincipalType {
 pub struct AppToken {
    pub id: String,
    pub name: String,
-    pub token: String,
+    pub token: Secret<String>,
    pub created_at: Option<DateTime<Utc>>,
 }

@@ -51,7 +53,7 @@ pub struct User {
    pub displayname: Option<String>,
    #[serde(default)]
    pub principal_type: PrincipalType,
-    pub password: Option<String>,
+    pub password: Option<Secret<String>>,
    #[serde(default)]
    pub app_tokens: Vec<AppToken>,
    #[serde(default)]