refactor(pkg,api,cli): remove UserPassword struct

Author: heiytor

api/services/auth.go

@@ -20,6 +20,7 @@ import (
 	"github.com/shellhub-io/shellhub/pkg/api/jwttoken"
 	"github.com/shellhub-io/shellhub/pkg/api/requests"
 	"github.com/shellhub-io/shellhub/pkg/clock"
+	"github.com/shellhub-io/shellhub/pkg/hash"
 	"github.com/shellhub-io/shellhub/pkg/models"
 	"github.com/shellhub-io/shellhub/pkg/uuid"
 	log "github.com/sirupsen/logrus"
@@ -226,7 +227,7 @@ func (s *service) AuthLocalUser(ctx context.Context, req *requests.AuthLocalUser
 		return nil, lockout, "", NewErrAuthUnathorized(nil)
 	}
 
-	if !user.Password.Compare(req.Password) {
+	if !hash.CompareWith(req.Password, user.PasswordDigest) {
 		lockout, _, err := s.cache.StoreLoginAttempt(ctx, sourceIP, user.ID)
 		if err != nil {
 			log.WithError(err).
@@ -285,9 +286,9 @@ func (s *service) AuthLocalUser(ctx context.Context, req *requests.AuthLocalUser
 
 	// Updates last_login and the hash algorithm to bcrypt if still using SHA256
 	changes := &models.UserChanges{LastLogin: clock.Now(), PreferredNamespace: &tenantID}
-	if !strings.HasPrefix(user.Password.Hash, "$") {
-		if neo, _ := models.HashUserPassword(req.Password); neo.Hash != "" {
-			changes.Password = neo.Hash
+	if !strings.HasPrefix(user.PasswordDigest, "$") {
+		if pwdDigest, _ := hash.Do(req.Password); pwdDigest != "" {
+			changes.Password = pwdDigest
 		}
 	}
 

api/services/setup.go

@@ -14,6 +14,7 @@ import (
 	"github.com/shellhub-io/shellhub/pkg/api/authorizer"
 	"github.com/shellhub-io/shellhub/pkg/api/requests"
 	"github.com/shellhub-io/shellhub/pkg/clock"
+	"github.com/shellhub-io/shellhub/pkg/hash"
 	"github.com/shellhub-io/shellhub/pkg/models"
 	"github.com/shellhub-io/shellhub/pkg/uuid"
 )
@@ -41,19 +42,19 @@ func (s *service) Setup(ctx context.Context, req requests.Setup) error {
 		return NewErrUserInvalid(nil, err)
 	}
 
-	password, err := models.HashUserPassword(req.Password)
+	pwdDigest, err := hash.Do(req.Password)
 	if err != nil {
 		return NewErrUserPasswordInvalid(err)
 	}
 
-	if ok, err := s.validator.Struct(password); !ok || err != nil {
+	if ok, err := s.validator.Struct(pwdDigest); !ok || err != nil {
 		return NewErrUserPasswordInvalid(err)
 	}
 
 	user := &models.User{
-		Origin:   models.UserOriginLocal,
-		UserData: data,
-		Password: password,
+		Origin:         models.UserOriginLocal,
+		UserData:       data,
+		PasswordDigest: pwdDigest,
 		// NOTE: user's created from the setup screen doesn't need to be confirmed.
 		Status:        models.UserStatusConfirmed,
 		CreatedAt:     clock.Now(),

api/services/user.go

@@ -5,6 +5,7 @@ import (
 	"strings"
 
 	"github.com/shellhub-io/shellhub/pkg/api/requests"
+	"github.com/shellhub-io/shellhub/pkg/hash"
 	"github.com/shellhub-io/shellhub/pkg/models"
 )
 
@@ -46,12 +47,12 @@ func (s *service) UpdateUser(ctx context.Context, req *requests.UpdateUser) ([]s
 
 	if req.Password != "" {
 		// TODO: test
-		if !user.Password.Compare(req.CurrentPassword) {
+		if !hash.CompareWith(req.CurrentPassword, user.PasswordDigest) {
 			return []string{}, NewErrUserPasswordNotMatch(nil)
 		}
 
-		neo, _ := models.HashUserPassword(req.Password)
-		changes.Password = neo.Hash
+		pwdDigest, _ := hash.Do(req.Password)
+		changes.Password = pwdDigest
 	}
 
 	if err := s.store.UserUpdate(ctx, req.UserID, changes); err != nil {
@@ -70,16 +71,16 @@ func (s *service) UpdatePasswordUser(ctx context.Context, id, currentPassword, n
 		return NewErrUserNotFound(id, err)
 	}
 
-	if !user.Password.Compare(currentPassword) {
+	if !hash.CompareWith(currentPassword, user.PasswordDigest) {
 		return NewErrUserPasswordNotMatch(nil)
 	}
 
-	neo, err := models.HashUserPassword(newPassword)
+	pwdDigest, err := hash.Do(newPassword)
 	if err != nil {
 		return NewErrUserPasswordInvalid(err)
 	}
 
-	if err := s.store.UserUpdate(ctx, id, &models.UserChanges{Password: neo.Hash}); err != nil {
+	if err := s.store.UserUpdate(ctx, id, &models.UserChanges{Password: pwdDigest}); err != nil {
 		return NewErrUserUpdate(user, err)
 	}
 

cli/services/users.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/shellhub-io/shellhub/cli/pkg/inputs"
 	"github.com/shellhub-io/shellhub/pkg/clock"
+	"github.com/shellhub-io/shellhub/pkg/hash"
 	"github.com/shellhub-io/shellhub/pkg/models"
 )
 
@@ -40,23 +41,18 @@ func (s *service) UserCreate(ctx context.Context, input *inputs.UserCreate) (*mo
 		}
 	}
 
-	password, err := models.HashUserPassword(input.Password)
+	pwdDigest, err := hash.Do(input.Password)
 	if err != nil {
 		return nil, ErrUserPasswordInvalid
 	}
 
-	// TODO: validate this at cmd layer
-	if ok, err := s.validator.Struct(password); !ok || err != nil {
-		return nil, ErrUserPasswordInvalid
-	}
-
 	user := &models.User{
-		Origin:        models.UserOriginLocal,
-		UserData:      userData,
-		Password:      password,
-		Status:        models.UserStatusConfirmed,
-		CreatedAt:     clock.Now(),
-		MaxNamespaces: MaxNumberNamespacesCommunity,
+		Origin:         models.UserOriginLocal,
+		UserData:       userData,
+		PasswordDigest: pwdDigest,
+		Status:         models.UserStatusConfirmed,
+		CreatedAt:      clock.Now(),
+		MaxNamespaces:  MaxNumberNamespacesCommunity,
 		Preferences: models.UserPreferences{
 			AuthMethods: []models.UserAuthMethod{models.UserAuthMethodLocal},
 		},
@@ -117,17 +113,12 @@ func (s *service) UserUpdate(ctx context.Context, input *inputs.UserUpdate) erro
 		return ErrUserNotFound
 	}
 
-	password, err := models.HashUserPassword(input.Password)
+	pwdDigest, err := hash.Do(input.Password)
 	if err != nil {
 		return ErrUserPasswordInvalid
 	}
 
-	// TODO: validate this at cmd layer
-	if ok, err := s.validator.Struct(password); !ok || err != nil {
-		return ErrUserPasswordInvalid
-	}
-
-	if err := s.store.UserUpdate(ctx, user.ID, &models.UserChanges{Password: password.Hash}); err != nil {
+	if err := s.store.UserUpdate(ctx, user.ID, &models.UserChanges{Password: pwdDigest}); err != nil {
 		return ErrFailedUpdateUser
 	}
 

pkg/models/user.go

@@ -3,7 +3,6 @@ package models
 import (
 	"time"
 
-	"github.com/shellhub-io/shellhub/pkg/hash"
 	"github.com/shellhub-io/shellhub/pkg/validator"
 )
 
@@ -72,13 +71,16 @@ type User struct {
 	LastLogin      time.Time `json:"last_login" bson:"last_login"`
 	EmailMarketing bool      `json:"email_marketing" bson:"email_marketing"`
 	UserData       `bson:",inline"`
+
+	// PasswordDigest stores the hashed password.
+	PasswordDigest string `json:"-"`
+
 	// MFA contains attributes related to a user's MFA settings. Use [UserMFA.Enabled] to
 	// check if MFA is active for the user.
 	//
 	// NOTE: MFA is available as a cloud-only feature and must be ignored in community.
 	MFA         UserMFA         `json:"mfa" bson:"mfa"`
 	Preferences UserPreferences `json:"preferences" bson:"preferences"`
-	Password    UserPassword    `bson:",inline"`
 }
 
 type UserData struct {
@@ -110,35 +112,6 @@ type UserPreferences struct {
 	AuthMethods []UserAuthMethod `json:"auth_methods" bson:"auth_methods"`
 }
 
-type UserPassword struct {
-	// Plain contains the plain text password.
-	Plain string `json:"password" bson:"-" validate:"required,password"`
-	// Hash contains the hashed pasword from plain text.
-	Hash string `json:"-" bson:"password"`
-}
-
-// HashUserPassword receives a plain password and hash it, returning
-// a [UserPassword].
-func HashUserPassword(plain string) (UserPassword, error) {
-	p := UserPassword{
-		Plain: plain,
-	}
-
-	var err error
-	p.Hash, err = hash.Do(p.Plain)
-
-	return p, err
-}
-
-// Compare reports whether a plain password matches with hash.
-//
-// For compatibility purposes, it can compare using both SHA256 and bcrypt algorithms.
-// Hashes starting with "$" are assumed to be a bcrypt hash; otherwise, they are treated as
-// SHA256 hashes.
-func (p *UserPassword) Compare(plain string) bool {
-	return hash.CompareWith(plain, p.Hash)
-}
-
 // UserAuthIdentifier is an username or email used to authenticate.
 type UserAuthIdentifier string