Fixes

app/security.py

@@ -11,9 +11,9 @@ def hash_osu_password(password: str) -> str:
     ).decode()
 
 
-def check_osu_password(password: str, hashed_password: str) -> bool:
+def check_osu_password(*, untrusted_password: str, hashed_password: str) -> bool:
     return bcrypt.checkpw(
-        hashlib.md5(password.encode()).hexdigest().encode(),
+        hashlib.md5(untrusted_password.encode()).hexdigest().encode(),
         hashed_password.encode(),
     )
 

app/usecases/authentication.py

@@ -38,7 +38,10 @@ async def authenticate(
             user_feedback="Incorrect username or password.",
         )
 
-    if not security.check_osu_password(password, user.hashed_password):
+    if not security.check_osu_password(
+        untrusted_password=password,
+        hashed_password=user.hashed_password,
+    ):
         return Error(
             error_code=ErrorCode.INCORRECT_CREDENTIALS,
             user_feedback="Incorrect username or password.",

app/usecases/users.py

@@ -150,7 +150,10 @@ async def update_password(
             user_feedback="User not found.",
         )
 
-    if security.check_osu_password(user.hashed_password, current_password):
+    if security.check_osu_password(
+        untrusted_password=current_password,
+        hashed_password=user.hashed_password,
+    ):
         return Error(
             error_code=ErrorCode.INCORRECT_CREDENTIALS,
             user_feedback="Incorrect password.",
@@ -173,7 +176,10 @@ async def update_email_address(
             user_feedback="User not found.",
         )
 
-    if security.check_osu_password(user.hashed_password, current_password):
+    if security.check_osu_password(
+        untrusted_password=current_password,
+        hashed_password=user.hashed_password,
+    ):
         return Error(
             error_code=ErrorCode.INCORRECT_CREDENTIALS,
             user_feedback="Incorrect password.",