fixes & make apis harder to fuck up

osuAkatsuki · Aug 8, 2024 · 3920af5 · 3920af5
1 parent 70a76ab
commit 3920af5
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 10 deletions.
diff --git a/app/repositories/users.py b/app/repositories/users.py
@@ -133,14 +133,14 @@ async def update_username(user_id: int, new_username: str) -> None:
     await app.state.database.execute(query, params)
 
 
-async def update_password(user_id: int, new_password: str) -> None:
+async def update_password(user_id: int, *, new_hashed_password: str) -> None:
     query = """\
         UPDATE users
-        SET password_md5 = :new_password
+        SET password_md5 = :new_hashed_password
         WHERE id = :user_id
     """
     params = {
-        "new_password": new_password,
+        "new_hashed_password": new_hashed_password,
         "user_id": user_id,
     }
 

diff --git a/app/security.py b/app/security.py
@@ -6,17 +6,31 @@
 
 def hash_osu_password(password: str) -> str:
     return bcrypt.hashpw(
-        hashlib.md5(password.encode()).hexdigest().encode(),
-        bcrypt.gensalt(),
+        password=hashlib.md5(
+            password.encode(),
+            usedforsecurity=False,
+        )
+        .hexdigest()
+        .encode(),
+        salt=bcrypt.gensalt(),
     ).decode()
 
 
-def check_osu_password(*, untrusted_password: str, hashed_password: str) -> bool:
+def check_osu_password(
+    *,
+    untrusted_password: str,
+    hashed_password: str,
+) -> bool:
     return bcrypt.checkpw(
-        hashlib.md5(untrusted_password.encode()).hexdigest().encode(),
-        hashed_password.encode(),
+        password=hashlib.md5(
+            untrusted_password.encode(),
+            usedforsecurity=False,
+        )
+        .hexdigest()
+        .encode(),
+        hashed_password=hashed_password.encode(),
     )
 
 
 def generate_access_token() -> str:
-    return secrets.token_urlsafe(32)
+    return secrets.token_urlsafe(nbytes=32)
diff --git a/app/usecases/users.py b/app/usecases/users.py
@@ -159,7 +159,8 @@ async def update_password(
             user_feedback="Incorrect password.",
         )
 
-    await users.update_password(user_id, new_password)
+    hashed_password = security.hash_osu_password(new_password)
+    await users.update_password(user_id, new_hashed_password=hashed_password)
     return None