You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hey, I was just looking through your code. I noticed that you have a verify_password function and a change_password function.
It would probably be more ideal from a security perspective if you called the verify_password function inside the change_password function. This will allow you to reuse your change_password function (when you start to implement multiple ways to access the system. I.e. Website, terminal, etc.) It'll prevent you from forgetting to add a verification into every implementation.
If you wanted to refactor it you could add the password field to your add_user SQL query/function. then add in a current_password parameter to your change_password function, and then call verify_password inside change_password.
After all it makes more sense, since you aren't 'changing' a password that hasn't been set.
I hope that makes sense. This is an interesting project and I'd be happy to contribute if you're accepting PR's.
The text was updated successfully, but these errors were encountered:
Hi thanks for noting that :) This makes sense for sure.
I am certainly happy to accept PR's 👍
But I think while I am at it I probably can combine this with #9 at least in parts. Aka moving the current auth to some trait based abstraction which then calls db stuff in it :)
Hey, I was just looking through your code. I noticed that you have a verify_password function and a change_password function.
It would probably be more ideal from a security perspective if you called the verify_password function inside the change_password function. This will allow you to reuse your change_password function (when you start to implement multiple ways to access the system. I.e. Website, terminal, etc.) It'll prevent you from forgetting to add a verification into every implementation.
I noticed when you create a new user, you use the change_password function as well here:
https://github.com/MTRNord/erooster/blob/b7c1da4c3fba816b3fc25e94a92d2b7826b283ac/src/cmds/eroosterctl.rs#L270
If you wanted to refactor it you could add the password field to your add_user SQL query/function. then add in a current_password parameter to your change_password function, and then call verify_password inside change_password.
After all it makes more sense, since you aren't 'changing' a password that hasn't been set.
I hope that makes sense. This is an interesting project and I'd be happy to contribute if you're accepting PR's.
The text was updated successfully, but these errors were encountered: