Make secrets more secret

5 files changed, 36 insertions, 22 deletions

diff --git a/src/main.rs b/src/main.rs
index dff3f3f..d454a8c 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -9,7 +9,8 @@ use services::*;
 
 #[actix_web::main]
 async fn main() -> Result<(), RawUnexpected> {
-	let sql_pool = db::initialize("password_database", "dbuser", "Demo1234").await?;
+	let db_url = secrets::database_url()?;
+	let sql_pool = db::initialize(&db_url).await?;
 
 	HttpServer::new(move || {
 		App::new()
diff --git a/src/services/crypto.rs b/src/services/crypto.rs
index 580e83a..7ad2ce0 100644
--- a/src/services/crypto.rs
+++ b/src/services/crypto.rs
@@ -3,24 +3,23 @@ use std::hash::Hash;
 use argon2::{hash_raw, verify_raw};
 use exun::RawUnexpected;
 
-/// A custom pepper used to hide passwords
-static PEPPER: [u8; 16] = [
-	0x98, 0x7f, 0x6f, 0xce, 0x20, 0x76, 0x2c, 0x8a, 0xae, 0xf6, 0xee, 0x45, 0xb3, 0x6b, 0x1f, 0x69,
-];
+use crate::services::secrets::pepper;
 
 /// The configuration used for hashing and verifying passwords
-static CONFIG: argon2::Config<'_> = argon2::Config {
-	hash_length: 32,
-	lanes: 4,
-	mem_cost: 5333,
-	time_cost: 4,
-	secret: &PEPPER,
+fn config<'a>(pepper: &'a [u8]) -> argon2::Config<'a> {
+	argon2::Config {
+		hash_length: 32,
+		lanes: 4,
+		mem_cost: 5333,
+		time_cost: 4,
+		secret: pepper,
 
-	ad: &[],
-	thread_mode: argon2::ThreadMode::Sequential,
-	variant: argon2::Variant::Argon2i,
-	version: argon2::Version::Version13,
-};
+		ad: &[],
+		thread_mode: argon2::ThreadMode::Sequential,
+		variant: argon2::Variant::Argon2i,
+		version: argon2::Version::Version13,
+	}
+}
 
 /// A password hash and salt for a user
 #[derive(Debug, Clone, PartialEq, Eq)]
@@ -43,8 +42,8 @@ impl PasswordHash {
 
 		let salt: [u8; 16] = rand::random();
 		let salt = Box::from(salt);
-
-		let hash = hash_raw(password, &salt, &CONFIG)?.into_boxed_slice();
+		let pepper = pepper()?;
+		let hash = hash_raw(password, &salt, &config(&pepper))?.into_boxed_slice();
 
 		Ok(Self {
 			hash,
@@ -78,11 +77,12 @@ impl PasswordHash {
 
 	/// Check if the given password is the one that was hashed
 	pub fn check_password(&self, password: &str) -> Result<bool, RawUnexpected> {
+		let pepper = pepper()?;
 		Ok(verify_raw(
 			password.as_bytes(),
 			&self.salt,
 			&self.hash,
-			&CONFIG,
+			&config(&pepper),
 		)?)
 	}
 }
diff --git a/src/services/db.rs b/src/services/db.rs
index 80335c4..b24c640 100644
--- a/src/services/db.rs
+++ b/src/services/db.rs
@@ -33,9 +33,8 @@ impl TryFrom<UserRow> for User {
 }
 
 /// Intialize the connection pool
-pub async fn initialize(db: &str, user: &str, password: &str) -> Result<MySqlPool, RawUnexpected> {
-	let url = format!("mysql://{user}:{password}@localhost/{db}");
-	MySqlPool::connect(&url).await.unexpect()
+pub async fn initialize(db_url: &str) -> Result<MySqlPool, RawUnexpected> {
+	MySqlPool::connect(db_url).await.unexpect()
 }
 
 pub async fn user_id_exists<'c>(
diff --git a/src/services/mod.rs b/src/services/mod.rs
index 57146d8..09d2159 100644
--- a/src/services/mod.rs
+++ b/src/services/mod.rs
@@ -1,3 +1,4 @@
 pub mod crypto;
 pub mod db;
 pub mod id;
+pub mod secrets;
diff --git a/src/services/secrets.rs b/src/services/secrets.rs
new file mode 100644
index 0000000..e4a1ca1
--- /dev/null
+++ b/src/services/secrets.rs
@@ -0,0 +1,13 @@
+use std::env;
+
+use exun::*;
+
+pub fn pepper() -> Result<Box<[u8]>, RawUnexpected> {
+	let pepper = env::var("SECRET_SALT")?;
+	let pepper = hex::decode(pepper)?;
+	Ok(pepper.into_boxed_slice())
+}
+
+pub fn database_url() -> Result<String, RawUnexpected> {
+	env::var("DATABASE_URL").unexpect()
+}