elif-http 0.8.8

HTTP server core for the elif.rs LLM-friendly web framework
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

//! Secure password hashing for channel authentication
//!
//! This module provides production-ready password hashing using Argon2id,
//! the winner of the Password Hashing Competition and recommended by OWASP.

use argon2::{
    password_hash::{rand_core::OsRng, PasswordHash, PasswordHasher, PasswordVerifier, SaltString},
    Argon2,
};
use std::fmt;

/// Secure password hash using Argon2id
#[derive(Debug, Clone, PartialEq)]
pub struct SecurePasswordHash(String);

/// Errors that can occur during password hashing operations
#[derive(Debug, thiserror::Error)]
pub enum PasswordError {
    #[error("Failed to hash password: {0}")]
    HashError(String),
    #[error("Failed to verify password: {0}")]
    VerifyError(String),
    #[error("Invalid password hash format")]
    InvalidHash,
}

impl SecurePasswordHash {
    /// Hash a plaintext password using Argon2id with secure defaults
    ///
    /// Uses Argon2id variant which provides resistance against both
    /// side-channel and GPU-based attacks.
    pub fn hash_password(password: &str) -> Result<Self, PasswordError> {
        let salt = SaltString::generate(&mut OsRng);

        // Use Argon2id with OWASP recommended parameters
        let argon2 = Argon2::default();

        let password_hash = argon2
            .hash_password(password.as_bytes(), &salt)
            .map_err(|e| PasswordError::HashError(e.to_string()))?;

        Ok(Self(password_hash.to_string()))
    }

    /// Verify a plaintext password against this hash
    pub fn verify_password(&self, password: &str) -> Result<bool, PasswordError> {
        let parsed_hash = PasswordHash::new(&self.0).map_err(|_| PasswordError::InvalidHash)?;

        let argon2 = Argon2::default();

        match argon2.verify_password(password.as_bytes(), &parsed_hash) {
            Ok(()) => Ok(true),
            Err(argon2::password_hash::Error::Password) => Ok(false),
            Err(e) => Err(PasswordError::VerifyError(e.to_string())),
        }
    }

    /// Get the hash string (for storage)
    pub fn as_str(&self) -> &str {
        &self.0
    }

    /// Create from a stored hash string
    pub fn from_hash_string(hash: String) -> Result<Self, PasswordError> {
        // Validate the hash format
        PasswordHash::new(&hash).map_err(|_| PasswordError::InvalidHash)?;

        Ok(Self(hash))
    }
}

impl fmt::Display for SecurePasswordHash {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(f, "{}", self.0)
    }
}

impl From<SecurePasswordHash> for String {
    fn from(hash: SecurePasswordHash) -> String {
        hash.0
    }
}

impl TryFrom<String> for SecurePasswordHash {
    type Error = PasswordError;

    fn try_from(hash: String) -> Result<Self, Self::Error> {
        Self::from_hash_string(hash)
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_password_hashing_and_verification() {
        let password = "secure_password_123!";

        // Hash the password
        let hash = SecurePasswordHash::hash_password(password).unwrap();

        // Verify correct password
        assert!(hash.verify_password(password).unwrap());

        // Verify incorrect password
        assert!(!hash.verify_password("wrong_password").unwrap());
    }

    #[test]
    fn test_hash_uniqueness() {
        let password = "same_password";

        let hash1 = SecurePasswordHash::hash_password(password).unwrap();
        let hash2 = SecurePasswordHash::hash_password(password).unwrap();

        // Hashes should be different due to random salts
        assert_ne!(hash1.as_str(), hash2.as_str());

        // But both should verify the same password
        assert!(hash1.verify_password(password).unwrap());
        assert!(hash2.verify_password(password).unwrap());
    }

    #[test]
    fn test_hash_string_conversion() {
        let password = "test_password";
        let hash = SecurePasswordHash::hash_password(password).unwrap();

        let hash_string = hash.to_string();
        let reconstructed = SecurePasswordHash::from_hash_string(hash_string).unwrap();

        assert!(reconstructed.verify_password(password).unwrap());
    }

    #[test]
    fn test_invalid_hash_format() {
        let result = SecurePasswordHash::from_hash_string("invalid_hash".to_string());
        assert!(matches!(result, Err(PasswordError::InvalidHash)));
    }
}