1 files changed, 9 insertions, 6 deletions

diff --git a/server/src/routes/ui/account/mod.rs b/server/src/routes/ui/account/mod.rs
index 63c01c5..9007558 100644
--- a/server/src/routes/ui/account/mod.rs
+++ b/server/src/routes/ui/account/mod.rs
@@ -5,9 +5,9 @@
 */
 pub mod admin;
 pub mod session;
+pub mod settings;
 
 use self::session::SessionCookie;
-
 use super::{error::MyError, layout::LayoutPage};
 use crate::{
     database::{Database, User},
@@ -120,7 +120,7 @@ pub fn r_account_register_post<'a>(
             Some(&User {
                 display_name: form.username.clone(),
                 name: form.username.clone(),
-                password: hash_password(&form.password),
+                password: hash_password(&form.username, &form.password),
                 admin: false,
             }),
         )
@@ -148,7 +148,7 @@ pub fn r_account_login_post(
     };
 
     // hashing the password regardless if the accounts exists to prevent timing attacks
-    let password = hash_password(&form.password);
+    let password = hash_password(&form.username, &form.password);
 
     let user = database
         .users
@@ -177,7 +177,7 @@ pub fn r_account_logout_post(jar: &CookieJar) -> MyResult<Redirect> {
     Ok(Redirect::found(uri!(r_home())))
 }
 
-fn format_form_error<T>(form: Form<Contextual<T>>) -> MyError {
+pub fn format_form_error<T>(form: Form<Contextual<T>>) -> MyError {
     let mut k = String::from("form validation failed:");
     for e in form.context.errors() {
         k += &format!(
@@ -191,9 +191,12 @@ fn format_form_error<T>(form: Form<Contextual<T>>) -> MyError {
     MyError(anyhow!(k))
 }
 
-pub fn hash_password(s: &str) -> Vec<u8> {
+pub fn hash_password(username: &str, password: &str) -> Vec<u8> {
     Argon2::default()
-        .hash_password(s.as_bytes(), r"IYMa13osbNeLJKnQ1T8LlA")
+        .hash_password(
+            format!("{username}\0{password}").as_bytes(),
+            r"IYMa13osbNeLJKnQ1T8LlA",
+        )
         .unwrap()
         .hash
         .unwrap()