From 81c941384ad421c1080117954375a4770b8e5143 Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Mon, 19 Feb 2024 11:17:03 +0100
Subject: [PATCH] Rehash user password on login if necessary

Closes: https://todo.sr.ht/~emersion/sinwon/5

---
 entity.go |  5 +++++
 user.go   | 11 +++++++++++

diff --git a/entity.go b/entity.go
index 839411500ff02fb6f73b62e7e267856c035039fa..2da070606840a1bdb61b42f7fdabbb694b661687 100644
--- a/entity.go
+++ b/entity.go
@@ -94,6 +94,11 @@ 	user.PasswordHash = string(hash)
 	return nil
 }
 
+func (user *User) PasswordNeedsRehash() bool {
+	cost, _ := bcrypt.Cost([]byte(user.PasswordHash))
+	return cost != bcrypt.DefaultCost
+}
+
 type Client struct {
 	ID               ID[*Client]
 	ClientID         string
diff --git a/user.go b/user.go
index b652d6b5d92004a31e8113e73408dfc2b3238e46..3fda6f844b9b994cc5f511fdf00d94d2b2a7ed05 100644
--- a/user.go
+++ b/user.go
@@ -92,6 +92,17 @@ 		}
 		return
 	}
 
+	if user.PasswordNeedsRehash() {
+		if err := user.SetPassword(password); err != nil {
+			httpError(w, fmt.Errorf("failed to rehash password: %v", err))
+			return
+		}
+		if err := db.StoreUser(ctx, user); err != nil {
+			httpError(w, fmt.Errorf("failed to store user: %v", err))
+			return
+		}
+	}
+
 	token := AccessToken{
 		User:  user.ID,
 		Scope: internalTokenScope,

-- 
2.48.1