fix: hash password befote saving on user create and password update

2025-04-18 13:16:48 +01:00 · 2025-04-18 13:16:48 +01:00 · 5159116544
commit 5159116544
parent 646e4aabd9
3 changed files with 137 additions and 11 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -847,6 +847,15 @@ version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0d8c1fef690941d3e7788d328517591fecc684c084084702d6ff1641e993699a"

+[[package]]
+name = "block-buffer"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4152116fd6e9dadb291ae18fc1ec3575ed6d84c29642d97890f4b4a3417297e4"
+dependencies = [
+ "generic-array",
+]
+
 [[package]]
 name = "block-buffer"
 version = "0.10.4"
@ -878,6 +887,17 @@ dependencies = [
 "piper",
 ]

+[[package]]
+name = "blowfish"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32fa6a061124e37baba002e496d203e23ba3d7b73750be82dbfbc92913048a5b"
+dependencies = [
+ "byteorder",
+ "cipher",
+ "opaque-debug",
+]
+
 [[package]]
 name = "bluez-zbus"
 version = "0.1.0"
@ -1160,6 +1180,15 @@ dependencies = [
 "windows-link",
 ]

+[[package]]
+name = "cipher"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "12f8e7987cbd042a63249497f41aed09f8e65add917ea6566effbc56578d6801"
+dependencies = [
+ "generic-array",
+]
+
 [[package]]
 name = "clang-sys"
 version = "1.8.1"
@ -1708,6 +1737,7 @@ dependencies = [
 "num-derive",
 "num-traits",
 "once_cell",
+ "pwhash",
 "regex",
 "ron 0.9.0",
 "rust-embed",
@ -1940,6 +1970,16 @@ dependencies = [
 "typenum",
 ]

+[[package]]
+name = "crypto-mac"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bff07008ec701e8028e2ceb8f83f0e4274ee62bd2dbdc4fefff2e9a91824081a"
+dependencies = [
+ "generic-array",
+ "subtle",
+]
+
 [[package]]
 name = "css-color"
 version = "0.2.8"
@ -2152,13 +2192,22 @@ dependencies = [
 "waker-fn",
 ]

+[[package]]
+name = "digest"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3dd60d1080a57a05ab032377049e0591415d2b31afd7028356dbf3cc6dcb066"
+dependencies = [
+ "generic-array",
+]
+
 [[package]]
 name = "digest"
 version = "0.10.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
 dependencies = [
- "block-buffer",
+ "block-buffer 0.10.4",
 "crypto-common",
 ]

@ -3124,6 +3173,16 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "dfa686283ad6dd069f105e5ab091b04c62850d3e4cf5d67debad1933f55023df"

+[[package]]
+name = "hmac"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c1441c6b1e930e2817404b5046f1f989899143a12bf92de603b69f4e0aee1e15"
+dependencies = [
+ "crypto-mac",
+ "digest 0.9.0",
+]
+
 [[package]]
 name = "hostname-validator"
 version = "1.1.1"
@ -4786,6 +4845,17 @@ dependencies = [
 "rayon",
 ]

+[[package]]
+name = "md-5"
+version = "0.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b5a279bb9607f9f53c22d496eade00d138d1bdcccd07d74650387cf94942a15"
+dependencies = [
+ "block-buffer 0.9.0",
+ "digest 0.9.0",
+ "opaque-debug",
+]
+
 [[package]]
 name = "memchr"
 version = "2.7.4"
@ -5485,6 +5555,12 @@ version = "1.21.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2806eaa3524762875e21c3dcd057bc4b7bfa01ce4da8d46be1cd43649e1cc6b"

+[[package]]
+name = "opaque-debug"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
+
 [[package]]
 name = "option-ext"
 version = "0.2.0"
@ -5967,6 +6043,21 @@ dependencies = [
 "syn 1.0.109",
 ]

+[[package]]
+name = "pwhash"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "419a3ad8fa9f9d445e69d9b185a24878ae6e6f55c96e4512f4a0e28cd3bc5c56"
+dependencies = [
+ "blowfish",
+ "byteorder",
+ "hmac",
+ "md-5",
+ "rand",
+ "sha-1",
+ "sha2 0.9.9",
+]
+
 [[package]]
 name = "qoi"
 version = "0.4.1"
@ -6395,7 +6486,7 @@ version = "8.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5a2fcdc9f40c8dc2922842ca9add611ad19f332227fc651d015881ad1552bd9a"
 dependencies = [
- "sha2",
+ "sha2 0.10.8",
 "walkdir",
 ]

@ -6662,6 +6753,19 @@ dependencies = [
 "syn 2.0.100",
 ]

+[[package]]
+name = "sha-1"
+version = "0.9.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "99cd6713db3cf16b6c84e06321e049a9b9f699826e16096d23bbcc44d15d51a6"
+dependencies = [
+ "block-buffer 0.9.0",
+ "cfg-if",
+ "cpufeatures",
+ "digest 0.9.0",
+ "opaque-debug",
+]
+
 [[package]]
 name = "sha1"
 version = "0.10.6"
@ -6670,7 +6774,20 @@ checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba"
 dependencies = [
 "cfg-if",
 "cpufeatures",
- "digest",
+ "digest 0.10.7",
+]
+
+[[package]]
+name = "sha2"
+version = "0.9.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4d58a1e1bf39749807d89cf2d98ac2dfa0ff1cb3faa38fbb64dd88ac8013d800"
+dependencies = [
+ "block-buffer 0.9.0",
+ "cfg-if",
+ "cpufeatures",
+ "digest 0.9.0",
+ "opaque-debug",
 ]

 [[package]]
@ -6681,7 +6798,7 @@ checksum = "793db75ad2bcafc3ffa7c68b215fee268f537982cd901d132f89c6343f3a3dc8"
 dependencies = [
 "cfg-if",
 "cpufeatures",
- "digest",
+ "digest 0.10.7",
 ]

 [[package]]
@ -6946,6 +7063,12 @@ version = "0.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"

+[[package]]
+name = "subtle"
+version = "2.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601"
+
 [[package]]
 name = "sunrise"
 version = "1.2.1"
--- a/cosmic-settings/Cargo.toml
+++ b/cosmic-settings/Cargo.toml
@ -88,6 +88,7 @@ gettext-rs = { version = "0.7.2", features = [
 async-fn-stream = "0.2.2"
 num-traits = "0.2"
 num-derive = "0.4"
+pwhash = "1"

 [dependencies.cosmic-settings-subscriptions]
 git = "https://github.com/pop-os/cosmic-settings-subscriptions"
@ -156,9 +157,7 @@ page-input = [
    "dep:cosmic-settings-config",
    "dep:udev",
 ]
-page-legacy-applications = [
-    "dep:cosmic-comp-config",
-]
+page-legacy-applications = ["dep:cosmic-comp-config"]
 page-networking = [
    "xdg-portal",
    "dep:cosmic-dbus-networkmanager",
--- a/cosmic-settings/src/pages/system/users/mod.rs
+++ b/cosmic-settings/src/pages/system/users/mod.rs
@ -11,6 +11,7 @@ use cosmic::{
    widget::{self, Space, column, icon, row, settings, text},
 };
 use cosmic_settings_page::{self as page, Section, section};
+use pwhash::bcrypt;
 use regex::Regex;
 use slab::Slab;
 use slotmap::SlotMap;
@ -556,7 +557,7 @@ impl Page {
                self.dialog = None;

                let uid = user.id;
-                let password = user.password;
+                let password_hashed = bcrypt::hash(user.password).unwrap();

                return cosmic::Task::future(async move {
                    let Ok(conn) = zbus::Connection::system().await else {
@ -567,8 +568,10 @@ impl Page {
                        return;
                    };

-                    match request_permission_on_denial(&conn, || user.set_password(&password, ""))
-                        .await
+                    match request_permission_on_denial(&conn, || {
+                        user.set_password(&password_hashed, "")
+                    })
+                    .await
                    {
                        Err(why) => {
                            tracing::error!(?why, "failed to set password");
@ -652,9 +655,10 @@ impl Page {
                        }
                    };

+                    let password_hashed = bcrypt::hash(password).unwrap();
                    match accounts_zbus::UserProxy::new(&conn, user_object_path).await {
                        Ok(user) => {
-                            _ = user.set_password(&password, "").await;
+                            _ = user.set_password(&password_hashed, "").await;
                            _ = user.set_icon_file(DEFAULT_ICON_FILE).await
                        }