Currently any existing user will create a session regardless of password
Opened this issue · 2 comments
First of all, I really appreciate this example app, I used it to help set up my own Next.js/Axum project. However, while working on my project I noticed that they way that the password is verified here with bcrypt results in any valid user being granted a session, even if the passwords don't match.
It seems to be that bcrypt::verify returns a result, which here is left wrapped - so unless there is an error when you try to compare the hashed passwords, the session is created. I would suggest changing the code to something like:
if bcrypt::verify(password, res.get("password")).unwrap() == false {
println!("Unauthorized");
return Err(Error::RowNotFound);
}I mean, maybe unwrap() is not the right call, but this at least ensures that if the hashed passwords don't match, a session will not be created
Heya - this was actually updated in the official Shuttle Examples repository but I haven't managed to get around to updating my own repository since. I'll have a quick look and fix it
Ah ok. So I was reading this article of yours: https://joshmo.hashnode.dev/nextjs-and-rust-an-innovative-approach-to-full-stack-development which also contains this problem, maybe check that out as well