django-auth 0.1.1

Authenticate or generate Django-managed passwords
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

use base64::prelude::*;
use pbkdf2::pbkdf2_hmac_array;
use sha2::Sha256;

type Result<T> = std::result::Result<T, Error>;

#[derive(thiserror::Error, Debug)]
pub enum Error {
    #[error("invalid django-style encoded password: {0}")]
    InvalidEncodedPassword(String),

    #[error("unsupported algorithm: {0}")]
    UnsupportedAlgorithm(String),

    #[error("invalid salt: {0}")]
    InvalidSalt(String),
}

/// Verify `password` based on `encoded_password` which is managed by Django,
/// return Ok(true) if verification is successful, otherwise return false.
///
/// Currently only the default pbkdf2_sha256 algorithm is supported.
///
/// # Usage
///
/// ```rust
/// use django_auth::*;
///
/// let res = django_auth(
///     "hello",
///     "pbkdf2_sha256$180000$btQDcwXF2RoK6Q$D4cC7bgbaIZGHsTdw9TYhRfuLfLGbsZlI4Rp802e7kU=",
/// ).expect("django_auth error");
///
/// assert!(res);
/// ```
///
pub fn django_auth(password: &str, encoded_password: &str) -> Result<bool> {
    // split hashed_password into 4 parts: algorithm, iterations, salt, hash
    let parts = encoded_password.split('$');

    let parts: Vec<&str> = parts.take(4).collect();
    if parts.len() != 4 {
        return Err(Error::InvalidEncodedPassword(
            "encoded password should have 4 components separated by '$'".to_owned(),
        ));
    }

    let (algorithm, iterations, salt) = (parts[0], parts[1], parts[2]);

    if algorithm != "pbkdf2_sha256" {
        return Err(Error::UnsupportedAlgorithm(algorithm.to_owned()));
    }

    let iterations: u32 = iterations
        .parse()
        .expect("invalid iterations in hashed password");

    let encoded = django_encode_password(password, salt, iterations)?;
    Ok(encoded == encoded_password)
}

/// Encode `password` in [Django way][1].
///
/// # Usage
///
/// ```rust
/// use django_auth::*;
/// let password = "hello";
/// let encoded_password = django_encode_password(password, "btQDcwXF2RoK6Q", 0)
///     .expect("django_encode_password error");

/// assert_eq!(
///     encoded_password,
///     "pbkdf2_sha256$180000$btQDcwXF2RoK6Q$D4cC7bgbaIZGHsTdw9TYhRfuLfLGbsZlI4Rp802e7kU="
/// );
/// let res = django_auth(password, &encoded_password).expect("auth failed");
/// assert!(res);
/// ```
///
/// [1]: https://docs.djangoproject.com/en/5.0/topics/auth/passwords/
///
pub fn django_encode_password(password: &str, salt: &str, mut iterations: u32) -> Result<String> {
    if salt.contains('$') {
        return Err(Error::InvalidSalt("salt contains dollar sign ($)".into()));
    }

    if iterations == 0 {
        iterations = 180000;
    }

    let hash = pbkdf2_hmac_array::<Sha256, 32>(password.as_bytes(), salt.as_bytes(), iterations);
    let hash = BASE64_STANDARD.encode(hash);
    let res = format!("{}${}${}${}", "pbkdf2_sha256", iterations, salt, hash);

    Ok(res)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_django_auth() {
        let res = django_auth(
            "hello",
            "pbkdf2_sha256$180000$btQDcwXF2RoK6Q$D4cC7bgbaIZGHsTdw9TYhRfuLfLGbsZlI4Rp802e7kU=",
        )
        .unwrap();

        assert!(res);

        let res = django_auth(
            "hello",
            "pbkdf2_sha256$180000$btQDcwXF2RoK6Q$D4cC7bgbaIZGHsTdw9TYhRfuLfLGbsZlI4Rp802e7kU",
        )
        .unwrap();
        assert!(!res);

        let res = django_auth("world", "abc$edf");
        assert!(res.is_err());
    }

    #[test]
    fn test_djaongo_encode_password() {
        let password = "hello";
        let encoded_password = django_encode_password(password, "btQDcwXF2RoK6Q", 0)
            .expect("django_encode_password failed");
        assert_eq!(
            encoded_password,
            "pbkdf2_sha256$180000$btQDcwXF2RoK6Q$D4cC7bgbaIZGHsTdw9TYhRfuLfLGbsZlI4Rp802e7kU="
        );
        let res = django_auth(password, &encoded_password).expect("auth failed");
        assert!(res);

        let password = "hello";
        let res = django_encode_password(password, "btQDcwXF$2RoK6Q", 0);
        assert!(res.is_err());

        let password = "hello";
        let encoded_password = django_encode_password(password, "btQDcwXF2RoK6Q", 10)
            .expect("django_encode_password failed");
        assert_ne!(
            encoded_password,
            "pbkdf2_sha256$180000$btQDcwXF2RoK6Q$D4cC7bgbaIZGHsTdw9TYhRfuLfLGbsZlI4Rp802e7kU="
        );

        let password = "hello";
        let encoded_password = django_encode_password(password, "btQDcwXF2RoK6Qx", 0)
            .expect("django_encode_password failed");
        assert_ne!(
            encoded_password,
            "pbkdf2_sha256$180000$btQDcwXF2RoK6Q$D4cC7bgbaIZGHsTdw9TYhRfuLfLGbsZlI4Rp802e7kU="
        );
    }
}