fix: push with required credentials

Author: wangeguo

Cargo.lock

@@ -7,7 +7,7 @@ resolver = "2"
 [package]
 name = "backend"
 description = "Backend API and services for StackClass"
-version = "0.32.3"
+version = "0.32.4"
 edition = "2024"
 
 default-run = "stackclass-server"
@@ -62,4 +62,4 @@ utoipa = { version = "5.4.0", features = ["axum_extras", "uuid", "chrono", "macr
 utoipa-swagger-ui = { version = "9.0.2", features = ["axum", "reqwest"] }
 uuid = { version = "1.18.0", features = ["serde", "v4", "fast-rng", "macro-diagnostics"] }
 walkdir = "2.5.0"
-bcrypt = "0.17.0"
+sha2 = "0.10.9"

Cargo.toml

@@ -6,7 +6,7 @@
     "license": {
       "name": ""
     },
-    "version": "0.32.3"
+    "version": "0.32.4"
   },
   "paths": {
     "/v1/courses": {

openapi.json

@@ -74,9 +74,6 @@ pub enum ApiError {
 
     #[error("Serialization Error: {0}")]
     SerializationError(#[source] serde_json::Error),
-
-    #[error("Bcrypt Error: {0}")]
-    BcryptError(#[from] bcrypt::BcryptError),
 }
 
 impl From<sqlx::Error> for ApiError {
@@ -108,7 +105,6 @@ impl From<&ApiError> for StatusCode {
             ApiError::GitError(_) => StatusCode::INTERNAL_SERVER_ERROR,
             ApiError::KubernetesError(_) => StatusCode::INTERNAL_SERVER_ERROR,
             ApiError::SerializationError(_) => StatusCode::INTERNAL_SERVER_ERROR,
-            ApiError::BcryptError(_) => StatusCode::INTERNAL_SERVER_ERROR,
         }
     }
 }

src/errors.rs

@@ -25,7 +25,7 @@ use crate::{
     model::UserModel,
     repository::{CourseRepository, UserRepository},
     service::{CourseService, PipelineService, StageService, StorageError, StorageService},
-    utils::git,
+    utils::{crypto, git},
 };
 
 #[allow(dead_code)]
@@ -60,6 +60,7 @@ impl RepoService {
             git_server_endpoint,
             git_committer_name,
             git_committer_email,
+            auth_secret,
             ..
         } = &self.ctx.config;
 
@@ -94,7 +95,10 @@ impl RepoService {
         // ... and push to the remote repository
         let remote_url = format!("{git_server_endpoint}/{owner}/{repo}.git");
         git::add_remote(workspace, "origin", &remote_url).await?;
-        git::push(workspace, "origin", "main").await?;
+
+        // Push with required credentials
+        let password = crypto::password(git_committer_email, auth_secret);
+        git::push(workspace, "origin", "main", TEMPLATE_OWNER, &password).await?;
 
         debug!("Successfully pushed template contents to repository: {}", remote_url);
         Ok(())
@@ -238,9 +242,9 @@ impl RepoService {
             Ok(user) => Ok(user),
             Err(ClientError::NotFound) => {
                 // Generate a password using email + auth_secret
-                let password = format!("{}{}", req.email, self.ctx.config.auth_secret);
-                let hashed_password = bcrypt::hash(password, bcrypt::DEFAULT_COST)?;
-                req.password = Some(hashed_password);
+                let salt = &self.ctx.config.auth_secret;
+                let password = crypto::password(&req.email, salt);
+                req.password = Some(password);
 
                 Ok(self.ctx.git.create_user(req).await?)
             }

src/service/repository.rs

@@ -0,0 +1,27 @@
+// Copyright (c) The StackClass Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use sha2::{Digest, Sha256};
+
+/// Generates a deterministic SHA-256 hash of the password.
+pub fn password(input: &str, salt: &str) -> String {
+    let password = format!("{}{}", input, salt);
+
+    let mut hasher = Sha256::new();
+    hasher.update(password.as_bytes());
+    let result = hasher.finalize();
+
+    // Convert to hex string
+    format!("{:x}", result)
+}

src/utils/crypto.rs

@@ -62,10 +62,28 @@ pub async fn add_remote(dir: &Path, remote_name: &str, remote_url: &str) -> Resu
     git(dir, &["remote", "add", remote_name, remote_url]).await.map_err(GitError::AddRemote)
 }
 
-/// Pushes changes to a remote repository.
+/// Pushes changes to a remote repository with authentication.
 #[inline]
-pub async fn push(dir: &Path, remote_name: &str, branch: &str) -> Result<(), GitError> {
-    git(dir, &["push", "--force", remote_name, branch]).await.map_err(GitError::PushChanges)
+pub async fn push(
+    dir: &Path,
+    remote: &str,
+    branch: &str,
+    username: &str,
+    password: &str,
+) -> Result<(), GitError> {
+    let output = Command::new("git")
+        .args(["push", "--force", remote, branch])
+        .current_dir(dir)
+        .env("GIT_USERNAME", username)
+        .env("GIT_PASSWORD", password)
+        .output()
+        .await
+        .map_err(|e| GitError::PushChanges(e.to_string()))?;
+
+    if !output.status.success() {
+        return Err(GitError::PushChanges(String::from_utf8_lossy(&output.stderr).to_string()));
+    }
+    Ok(())
 }
 
 /// Configures Git settings for the repository.

src/utils/git.rs

@@ -12,4 +12,5 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+pub mod crypto;
 pub mod git;