refact(password): simplify preset password

Signed-off-by: fufesou <linlong1266@gmail.com>
2026-05-25 17:19:15 +00:00 · 2026-05-20 16:57:16 +08:00
parent e7af2e8488
commit f94992f6ca
2 changed files with 22 additions and 35 deletions
--- a/src/config.rs
+++ b/src/config.rs
@@ -23,13 +23,12 @@ mod permanent_password;

 pub use permanent_password::{
    compute_permanent_password_h1, decode_permanent_password_h1_from_storage,
-    local_permanent_password_storage_is_usable_for_auth,
+    decode_preset_password_h1_from_storage, local_permanent_password_storage_is_usable_for_auth,
    preset_permanent_password_storage_is_usable_for_auth, ENCRYPT_MAX_LEN,
 };
 use permanent_password::{
    decode_permanent_password_h1_from_hashed_storage, decrypt_permanent_password_str_or_original,
-    encode_permanent_password_encrypted_storage_from_h1, normalize_preset_password_storage,
-    password_is_empty_or_not_hashed, permanent_password_storage_is_hashed,
+    encode_permanent_password_encrypted_storage_from_h1, password_is_empty_or_not_hashed,
    preset_permanent_password_storage_matches_plain, DEFAULT_SALT_LEN, PASSWORD_ENC_VERSION,
    PERMANENT_PASSWORD_H1_LEN,
 };
@@ -1409,7 +1408,7 @@ impl Config {
        let hard_settings = HARD_SETTINGS.read().unwrap();
        let storage = hard_settings.get("password").cloned().unwrap_or_default();
        let salt = hard_settings.get("salt").cloned().unwrap_or_default();
-        (normalize_preset_password_storage(storage, &salt), salt)
+        (storage, salt)
    }

    pub fn get_effective_permanent_password_salt() -> String {
@@ -1422,7 +1421,7 @@ impl Config {
        }
        let (preset_storage, preset_salt) = Self::get_preset_password_storage_and_salt();
        if !preset_salt.is_empty() {
-            if permanent_password_storage_is_hashed(&preset_storage) {
+            if preset_permanent_password_storage_is_usable_for_auth(&preset_storage, &preset_salt) {
                return preset_salt;
            }
            return String::new();
--- a/src/config/permanent_password.rs
+++ b/src/config/permanent_password.rs
@@ -102,20 +102,6 @@ pub(super) fn decrypt_permanent_password_str_or_original(storage: &str) -> (Stri
    (storage.to_owned(), false, !storage.is_empty())
 }

-pub(super) fn normalize_preset_password_storage(storage: String, salt: &str) -> String {
-    if salt.is_empty() {
-        return storage;
-    }
-    if let Some(h1) = decode_hbbs_preset_password_h1_from_storage(&storage) {
-        if let Some(storage) = encode_permanent_password_encrypted_storage_from_h1(&h1) {
-            return storage;
-        }
-        log::error!("Failed to encrypt preset permanent password hash storage");
-        return String::new();
-    }
-    storage
-}
-
 pub(super) fn permanent_password_storage_is_usable_for_auth(storage: &str, salt: &str) -> bool {
    if storage.is_empty() {
        return false;
@@ -148,11 +134,10 @@ pub fn preset_permanent_password_storage_is_usable_for_auth(storage: &str, salt:
    decode_preset_password_h1_from_storage(storage).is_some()
 }

-fn decode_preset_password_h1_from_storage(
+pub fn decode_preset_password_h1_from_storage(
    storage: &str,
 ) -> Option<[u8; PERMANENT_PASSWORD_H1_LEN]> {
-    decode_permanent_password_h1_from_storage(storage)
-        .or_else(|| decode_hbbs_preset_password_h1_from_storage(storage))
+    decode_hbbs_preset_password_h1_from_storage(storage)
 }

 pub fn local_permanent_password_storage_is_usable_for_auth(storage: &str, salt: &str) -> bool {
@@ -167,10 +152,6 @@ pub fn local_permanent_password_storage_is_usable_for_auth(storage: &str, salt:
    permanent_password_storage_is_usable_for_auth(storage, salt)
 }

-pub(super) fn permanent_password_storage_is_hashed(storage: &str) -> bool {
-    decode_permanent_password_h1_from_storage(storage).is_some()
-}
-
 #[cfg(test)]
 fn permanent_password_storage_matches_plain(storage: &str, salt: &str, input: &str) -> bool {
    if storage.is_empty() || input.is_empty() {
@@ -299,14 +280,11 @@ mod tests {
    }

    #[test]
-    fn test_hbbs_00_hashed_preset_password_storage_is_normalized() {
+    fn test_hbbs_00_hashed_preset_password_storage_is_decoded_for_preset_auth() {
        let h1 = compute_permanent_password_h1("p@ssw0rd", "salt123");
        let storage = encode_hbbs_preset_password_storage_from_h1(&h1);

-        assert_eq!(
-            normalize_preset_password_storage(storage, "salt123"),
-            encode_permanent_password_encrypted_storage_from_h1(&h1).unwrap()
-        );
+        assert_eq!(decode_preset_password_h1_from_storage(&storage), Some(h1));
    }

    #[test]
@@ -326,15 +304,25 @@ mod tests {
        ));
    }

+    #[test]
+    fn test_encrypted_hash_storage_is_not_accepted_as_preset_storage() {
+        let salt = "salt123";
+        let h1 = compute_permanent_password_h1("p@ssw0rd", salt);
+        let storage = encode_permanent_password_encrypted_storage_from_h1(&h1).unwrap();
+
+        assert!(!preset_permanent_password_storage_is_usable_for_auth(
+            &storage, salt
+        ));
+        assert!(!preset_permanent_password_storage_matches_plain(
+            &storage, salt, "p@ssw0rd"
+        ));
+    }
+
    #[test]
    fn test_hbbs_00_shaped_preset_password_without_salt_stays_plaintext() {
        let h1 = compute_permanent_password_h1("p@ssw0rd", "salt123");
        let storage = encode_hbbs_preset_password_storage_from_h1(&h1);

-        assert_eq!(
-            normalize_preset_password_storage(storage.clone(), ""),
-            storage
-        );
        assert!(preset_permanent_password_storage_is_usable_for_auth(
            &storage, ""
        ));