chopin-auth 0.5.34

Zero-overhead JWT authentication and RBAC for the Chopin framework.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196

//! Argon2id password hashing and verification.
//!
//! Provides three presets for common security levels — see [`PasswordHasher`] for details.
//!
//! ```rust,ignore
//! use chopin_auth::PasswordHasher;
//!
//! let hasher = PasswordHasher::interactive();
//! let hash   = hasher.hash(b"hunter2").unwrap();
//! assert!(hasher.verify(b"hunter2", &hash).unwrap());
//! ```
// src/crypto.rs
use argon2::{
    Argon2, Params,
    password_hash::{
        PasswordHash, PasswordHasher as Argon2PasswordHasher, PasswordVerifier, SaltString,
        rand_core::OsRng,
    },
};
use chopin_core::error::{ChopinError, ChopinResult};

// ─── PasswordHasher ──────────────────────────────────────────────────────────

/// A configurable Argon2id password hasher.
///
/// Use the preset constructors for common configurations or [`PasswordHasher::custom`]
/// for full control:
///
/// | Preset | Memory | Iterations | Threads | Use case |
/// |---|---|---|---|---|
/// | [`interactive`](PasswordHasher::interactive) | 19 MiB | 2 | 1 | Default / login |
/// | [`sensitive`](PasswordHasher::sensitive) | 64 MiB | 4 | 2 | High-value secrets |
///
/// # Example
/// ```rust,ignore
/// use chopin_auth::PasswordHasher;
/// let hasher = PasswordHasher::interactive();
/// let hash = hasher.hash(b"my-password")?;
/// assert!(hasher.verify(b"my-password", &hash)?);
/// ```
#[derive(Clone)]
pub struct PasswordHasher {
    params: Params,
}

impl PasswordHasher {
    /// Interactive preset (Argon2id defaults: 19 MiB, 2 iterations, 1 thread).
    /// Balanced between speed and security; suitable for most login flows.
    pub fn interactive() -> Self {
        Self {
            params: Params::default(),
        }
    }

    /// Sensitive preset (64 MiB, 4 iterations, 2 threads).
    /// Slower and more memory-intensive; suitable for high-value secrets.
    pub fn sensitive() -> Self {
        Self::custom(65_536, 4, 2).expect("sensitive params are valid")
    }

    /// Custom Argon2id parameters.
    ///
    /// - `memory_kib`: memory cost in kibibytes (minimum 8).
    /// - `iterations`: time cost (minimum 1).
    /// - `parallelism`: degree of parallelism (minimum 1).
    pub fn custom(memory_kib: u32, iterations: u32, parallelism: u32) -> ChopinResult<Self> {
        let params = Params::new(memory_kib, iterations, parallelism, None)
            .map_err(|e| ChopinError::Other(format!("invalid Argon2 params: {e}")))?;
        Ok(Self { params })
    }

    /// Hash a password using Argon2id. Returns a PHC-format string.
    pub fn hash(&self, password: &[u8]) -> ChopinResult<String> {
        let salt = SaltString::generate(&mut OsRng);
        let argon2 = Argon2::new(
            argon2::Algorithm::Argon2id,
            argon2::Version::V0x13,
            self.params.clone(),
        );
        argon2
            .hash_password(password, &salt)
            .map(|h| h.to_string())
            .map_err(|e| ChopinError::Other(format!("failed to hash password: {e}")))
    }

    /// Verify a password against a PHC-format hash string.
    ///
    /// Returns `Ok(true)` on match, `Ok(false)` on mismatch, `Err` on invalid hash.
    pub fn verify(&self, password: &[u8], hash: &str) -> ChopinResult<bool> {
        let parsed = PasswordHash::new(hash)
            .map_err(|e| ChopinError::Other(format!("invalid hash format: {e}")))?;
        Ok(Argon2::default().verify_password(password, &parsed).is_ok())
    }
}

impl Default for PasswordHasher {
    fn default() -> Self {
        Self::interactive()
    }
}

// ─── Convenience free functions ──────────────────────────────────────────────

/// Hash a password using the interactive Argon2id preset.
///
/// This is a convenience wrapper around [`PasswordHasher::interactive`].
/// For configurable parameters, use [`PasswordHasher`] directly.
pub fn hash_password(password: &[u8]) -> ChopinResult<String> {
    PasswordHasher::interactive().hash(password)
}

/// Verify a password against a PHC-format hash string.
///
/// This is a convenience wrapper around [`PasswordHasher::interactive`].
pub fn verify_password(password: &[u8], hash: &str) -> ChopinResult<bool> {
    PasswordHasher::interactive().verify(password, hash)
}

#[cfg(test)]
mod tests {
    use super::*;

    // NOTE: Argon2 is intentionally slow (~100–300 ms per call).
    // These tests exercise correctness, not speed.

    #[test]
    fn test_hash_password_returns_ok() {
        let result = hash_password(b"mypassword");
        assert!(result.is_ok(), "hash_password should return Ok");
        let hash = result.unwrap();
        assert!(
            hash.starts_with("$argon2"),
            "unexpected hash format: {hash}"
        );
    }

    #[test]
    fn test_verify_correct_password_returns_true() {
        let hash = hash_password(b"correct-horse").unwrap();
        let ok = verify_password(b"correct-horse", &hash).unwrap();
        assert!(ok, "correct password should verify true");
    }

    #[test]
    fn test_verify_wrong_password_returns_false() {
        let hash = hash_password(b"correct-horse").unwrap();
        let ok = verify_password(b"wrong-battery", &hash).unwrap();
        assert!(!ok, "wrong password should verify false");
    }

    #[test]
    fn test_invalid_hash_format_returns_err() {
        let result = verify_password(b"password", "not-a-valid-hash");
        assert!(result.is_err(), "invalid hash format should return Err");
    }

    #[test]
    fn test_hash_is_unique_per_call() {
        let h1 = hash_password(b"same-pass").unwrap();
        let h2 = hash_password(b"same-pass").unwrap();
        assert_ne!(
            h1, h2,
            "two hashes of the same password must differ (random salt)"
        );
    }

    #[test]
    fn test_empty_password_hashes_and_verifies() {
        let hash = hash_password(b"").unwrap();
        assert!(verify_password(b"", &hash).unwrap());
        assert!(!verify_password(b"notempty", &hash).unwrap());
    }

    #[test]
    fn test_password_hasher_struct() {
        let hasher = PasswordHasher::interactive();
        let hash = hasher.hash(b"structpass").unwrap();
        assert!(hasher.verify(b"structpass", &hash).unwrap());
        assert!(!hasher.verify(b"wrong", &hash).unwrap());
    }

    #[test]
    fn test_sensitive_preset_produces_valid_hash() {
        let hasher = PasswordHasher::sensitive();
        let hash = hasher.hash(b"sensitive").unwrap();
        assert!(hasher.verify(b"sensitive", &hash).unwrap());
    }

    #[test]
    fn test_custom_params() {
        // Use very low params so the test is fast.
        let hasher = PasswordHasher::custom(8, 1, 1).unwrap();
        let hash = hasher.hash(b"custom").unwrap();
        assert!(hasher.verify(b"custom", &hash).unwrap());
    }
}