reinhardt-auth 0.1.2

Authentication and authorization system
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125

/// Password hasher trait
///
/// Implement this trait to create custom password hashing algorithms.
///
/// # Examples
///
/// ```
/// use reinhardt_auth::PasswordHasher;
/// #[cfg(feature = "argon2-hasher")]
/// use reinhardt_auth::Argon2Hasher;
///
/// # #[cfg(feature = "argon2-hasher")]
/// # {
/// let hasher = Argon2Hasher::new();
/// let password = "my_secure_password";
///
/// // Hash the password
/// let hash = hasher.hash(password).unwrap();
///
/// // Verify the password
/// assert!(hasher.verify(password, &hash).unwrap());
/// assert!(!hasher.verify("wrong_password", &hash).unwrap());
/// # }
/// ```
pub trait PasswordHasher: Send + Sync {
	/// Hashes a password
	///
	/// # Arguments
	///
	/// * `password` - The plaintext password to hash
	///
	/// # Returns
	///
	/// The hashed password as a string, or an error if hashing fails.
	fn hash(&self, password: &str) -> Result<String, reinhardt_core::exception::Error>;

	/// Verifies a password against a hash
	///
	/// # Arguments
	///
	/// * `password` - The plaintext password to verify
	/// * `hash` - The hash to verify against
	///
	/// # Returns
	///
	/// `Ok(true)` if the password matches, `Ok(false)` if it doesn't,
	/// or an error if verification fails.
	fn verify(&self, password: &str, hash: &str) -> Result<bool, reinhardt_core::exception::Error>;
}

/// Argon2id password hasher (recommended for new applications)
///
/// This hasher uses the Argon2id algorithm, which is currently recommended
/// by OWASP for password hashing. It provides strong resistance against
/// both GPU-based and side-channel attacks.
///
/// # Examples
///
/// ```
/// use reinhardt_auth::{PasswordHasher, Argon2Hasher};
///
/// # #[cfg(feature = "argon2-hasher")]
/// # {
/// let hasher = Argon2Hasher::new();
/// let password = "secure_password123";
///
/// // Hash a password
/// let hash = hasher.hash(password).unwrap();
/// assert!(!hash.is_empty());
///
/// // Verify the password against the hash
/// assert!(hasher.verify(password, &hash).unwrap());
///
/// // Wrong password should fail verification
/// assert!(!hasher.verify("wrong_password", &hash).unwrap());
/// # }
/// ```
#[cfg(feature = "argon2-hasher")]
#[derive(Clone)]
pub struct Argon2Hasher;

#[cfg(feature = "argon2-hasher")]
impl Argon2Hasher {
	/// Creates a new Argon2 password hasher
	pub fn new() -> Self {
		Self
	}
}

#[cfg(feature = "argon2-hasher")]
impl Default for Argon2Hasher {
	fn default() -> Self {
		Self::new()
	}
}

#[cfg(feature = "argon2-hasher")]
impl PasswordHasher for Argon2Hasher {
	fn hash(&self, password: &str) -> Result<String, reinhardt_core::exception::Error> {
		use argon2::Argon2;
		use password_hash::{PasswordHasher as _, SaltString, rand_core::OsRng};

		// Generate salt using cryptographically secure randomness
		let salt = SaltString::generate(&mut OsRng);

		let argon2 = Argon2::default();

		argon2
			.hash_password(password.as_bytes(), &salt)
			.map(|hash| hash.to_string())
			.map_err(|e| reinhardt_core::exception::Error::Authentication(e.to_string()))
	}

	fn verify(&self, password: &str, hash: &str) -> Result<bool, reinhardt_core::exception::Error> {
		use argon2::Argon2;
		use password_hash::{PasswordHash, PasswordVerifier};

		let parsed_hash = PasswordHash::new(hash)
			.map_err(|e| reinhardt_core::exception::Error::Authentication(e.to_string()))?;

		Ok(Argon2::default()
			.verify_password(password.as_bytes(), &parsed_hash)
			.is_ok())
	}
}