/* This file is part of jellything (https://codeberg.org/metamuffin/jellything) which is licensed under the GNU Affero General Public License (version 3); see /COPYING. Copyright (C) 2025 metamuffin */ use crate::{CONF, session::create}; use anyhow::{Result, anyhow}; use argon2::{Argon2, PasswordHasher, password_hash::Salt}; use jellycommon::user::UserPermission; use jellydb::Database; use log::info; use std::{collections::HashSet, time::Duration}; pub fn create_admin_account(database: &Database) -> Result<()> { if let Some(username) = &CONF.admin_username && let Some(password) = &CONF.admin_password { database .create_admin_user(username, hash_password(username, password)) .unwrap(); } else { info!("admin account disabled") } Ok(()) } pub fn login_logic( database: &Database, username: &str, password: &str, expire: Option, drop_permissions: Option>, ) -> Result { // hashing the password regardless if the accounts exists to better resist timing attacks let password = hash_password(username, password); let mut user = database .get_user(username)? .ok_or(anyhow!("invalid password"))?; if user.password != password { Err(anyhow!("invalid password"))? } if let Some(ep) = drop_permissions { // remove all grant perms that are in `ep` user.permissions .0 .retain(|p, val| if *val { !ep.contains(p) } else { true }) } Ok(create( user.name, user.permissions, Duration::from_days( CONF.login_expire .min(expire.unwrap_or(i64::MAX)) .try_into() .unwrap(), ), )) } pub fn hash_password(username: &str, password: &str) -> Vec { Argon2::default() .hash_password( format!("{username}\0{password}").as_bytes(), <&str as TryInto>::try_into("IYMa13osbNeLJKnQ1T8LlA").unwrap(), ) .unwrap() .hash .unwrap() .as_bytes() .to_vec() }