From b35d2d4fe7c39b76b6c51480ade538cb786c9a7c Mon Sep 17 00:00:00 2001 From: ZhenYi <434836402@qq.com> Date: Fri, 15 May 2026 11:48:46 +0800 Subject: [PATCH] refactor(access_key): migrate auth to Argon2 password verification - Replace custom hash check with Argon2 password verification - Scan all un-revoked tokens for matching access key - Add expiry validation per token with proper skip logic --- libs/service/user/access_key.rs | 35 ++++++++++++++++++++++----------- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/libs/service/user/access_key.rs b/libs/service/user/access_key.rs index c7de5f2..d628495 100644 --- a/libs/service/user/access_key.rs +++ b/libs/service/user/access_key.rs @@ -1,5 +1,7 @@ use crate::AppService; use crate::error::AppError; +use argon2::Argon2; +use argon2::password_hash::{PasswordHash, PasswordVerifier}; use chrono::Utc; use models::users::{user_activity_log, user_token}; use sea_orm::*; @@ -191,22 +193,33 @@ impl AppService { } pub async fn user_verify_access_key(&self, access_key: String) -> Result { - let access_key_hash = self.user_hash_access_key(&access_key); - - let access_key_model = user_token::Entity::find() - .filter(user_token::Column::TokenHash.eq(access_key_hash)) + let access_key_models = user_token::Entity::find() .filter(user_token::Column::IsRevoked.eq(false)) - .one(&self.db) - .await? - .ok_or(AppError::Unauthorized)?; + .all(&self.db) + .await?; - if let Some(expires_at) = access_key_model.expires_at { - if expires_at < Utc::now() { - return Err(AppError::Unauthorized); + for access_key_model in access_key_models { + if access_key_model + .expires_at + .map(|expires_at| expires_at < Utc::now()) + .unwrap_or(false) + { + continue; + } + + let Ok(hash) = PasswordHash::new(&access_key_model.token_hash) else { + continue; + }; + + if Argon2::default() + .verify_password(access_key.as_bytes(), &hash) + .is_ok() + { + return Ok(access_key_model.user); } } - Ok(access_key_model.user) + Err(AppError::Unauthorized) } fn user_generate_access_key(&self) -> String {