fix: generate passwords for Gitea user creation

wangeguo · wangeguo · commit cb45df88325f · 2025-08-16T17:56:07.000+08:00
diff --git a/.env.example b/.env.example
@@ -33,3 +33,6 @@ NAMESPACE=stackclass-local
 
 # Docker registry endpoint.
 DOCKER_REGISTRY_ENDPOINT=docker.stackclass.local
+
+# Secret used for hashing user passwords.
+AUTH_SECRET=JXQ2W8vY9zP1sR5tK7mN3bL6cV4dF0gH
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -7,7 +7,7 @@ resolver = "2"
 [package]
 name = "backend"
 description = "Backend API and services for StackClass"
-version = "0.31.1"
+version = "0.32.0"
 edition = "2024"
 
 default-run = "stackclass-server"
@@ -62,3 +62,4 @@ utoipa = { version = "5.4.0", features = ["axum_extras", "uuid", "chrono", "macr
 utoipa-swagger-ui = { version = "9.0.2", features = ["axum", "reqwest"] }
 uuid = { version = "1.18.0", features = ["serde", "v4", "fast-rng", "macro-diagnostics"] }
 walkdir = "2.5.0"
+bcrypt = "0.17.0"
diff --git a/README.md b/README.md
@@ -51,6 +51,7 @@ Options:
   --git-committer-email       Git committer email
   --namespace                 Kubernetes namespace where StackClass is running
   --docker-registry-endpoint  Docker registry endpoint
+  --auth-secret               Secret used for hashing user passwords
   --help                      Print help
 ```
 
diff --git a/openapi.json b/openapi.json
@@ -6,7 +6,7 @@
     "license": {
       "name": ""
     },
-    "version": "0.31.1"
+    "version": "0.32.0"
   },
   "paths": {
     "/v1/courses": {
diff --git a/src/config.rs b/src/config.rs
@@ -81,4 +81,8 @@ pub struct Config {
     /// Docker registry endpoint.
     #[clap(long, env)]
     pub docker_registry_endpoint: String,
+
+    /// Secret used for hashing user passwords.
+    #[clap(long, env)]
+    pub auth_secret: String,
 }
diff --git a/src/errors.rs b/src/errors.rs
@@ -74,6 +74,9 @@ pub enum ApiError {
 
     #[error("Serialization Error: {0}")]
     SerializationError(#[source] serde_json::Error),
+
+    #[error("Bcrypt Error: {0}")]
+    BcryptError(#[from] bcrypt::BcryptError),
 }
 
 impl From<sqlx::Error> for ApiError {
@@ -105,6 +108,7 @@ impl From<&ApiError> for StatusCode {
             ApiError::GitError(_) => StatusCode::INTERNAL_SERVER_ERROR,
             ApiError::KubernetesError(_) => StatusCode::INTERNAL_SERVER_ERROR,
             ApiError::SerializationError(_) => StatusCode::INTERNAL_SERVER_ERROR,
+            ApiError::BcryptError(_) => StatusCode::INTERNAL_SERVER_ERROR,
         }
     }
 }
diff --git a/src/service/repository.rs b/src/service/repository.rs
@@ -231,10 +231,17 @@ impl RepoService {
     }
 
     /// Gets a user by username, or creates the user if they don't exist.
-    async fn fetch_user(&self, username: &str, req: CreateUserRequest) -> Result<User> {
+    async fn fetch_user(&self, username: &str, mut req: CreateUserRequest) -> Result<User> {
         match self.ctx.git.get_user(username).await {
             Ok(user) => Ok(user),
-            Err(ClientError::NotFound) => Ok(self.ctx.git.create_user(req).await?),
+            Err(ClientError::NotFound) => {
+                // Generate a password using email + auth_secret
+                let password = format!("{}{}", req.email, self.ctx.config.auth_secret);
+                let hashed_password = bcrypt::hash(password, bcrypt::DEFAULT_COST)?;
+                req.password = Some(hashed_password);
+
+                Ok(self.ctx.git.create_user(req).await?)
+            }
             Err(e) => Err(e.into()),
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -81,4 +81,8 @@ pub struct Config {`
`81`	`81`	`/// Docker registry endpoint.`
`82`	`82`	`#[clap(long, env)]`
`83`	`83`	`pub docker_registry_endpoint: String,`
	`84`	`+`
	`85`	`+ /// Secret used for hashing user passwords.`
	`86`	`+ #[clap(long, env)]`
	`87`	`+ pub auth_secret: String,`
`84`	`88`	`}`
Original file line number	Diff line number	Diff line change
`@@ -74,6 +74,9 @@ pub enum ApiError {`
`74`	`74`
`75`	`75`	`#[error("Serialization Error: {0}")]`
`76`	`76`	`SerializationError(#[source] serde_json::Error),`
	`77`	`+`
	`78`	`+ #[error("Bcrypt Error: {0}")]`
	`79`	`+ BcryptError(#[from] bcrypt::BcryptError),`
`77`	`80`	`}`
`78`	`81`
`79`	`82`	`impl From<sqlx::Error> for ApiError {`
`@@ -105,6 +108,7 @@ impl From<&ApiError> for StatusCode {`
`105`	`108`	`ApiError::GitError(_) => StatusCode::INTERNAL_SERVER_ERROR,`
`106`	`109`	`ApiError::KubernetesError(_) => StatusCode::INTERNAL_SERVER_ERROR,`
`107`	`110`	`ApiError::SerializationError(_) => StatusCode::INTERNAL_SERVER_ERROR,`
	`111`	`+ ApiError::BcryptError(_) => StatusCode::INTERNAL_SERVER_ERROR,`
`108`	`112`	`}`
`109`	`113`	`}`
`110`	`114`	`}`
Original file line number	Diff line number	Diff line change
`@@ -231,10 +231,17 @@ impl RepoService {`
`231`	`231`	`}`
`232`	`232`
`233`	`233`	`/// Gets a user by username, or creates the user if they don't exist.`
`234`		`- async fn fetch_user(&self, username: &str, req: CreateUserRequest) -> Result<User> {`
	`234`	`+ async fn fetch_user(&self, username: &str, mut req: CreateUserRequest) -> Result<User> {`
`235`	`235`	`match self.ctx.git.get_user(username).await {`
`236`	`236`	`Ok(user) => Ok(user),`
`237`		`- Err(ClientError::NotFound) => Ok(self.ctx.git.create_user(req).await?),`
	`237`	`+ Err(ClientError::NotFound) => {`
	`238`	`+ // Generate a password using email + auth_secret`
	`239`	`+ let password = format!("{}{}", req.email, self.ctx.config.auth_secret);`
	`240`	`+ let hashed_password = bcrypt::hash(password, bcrypt::DEFAULT_COST)?;`
	`241`	`+ req.password = Some(hashed_password);`
	`242`	`+`
	`243`	`+ Ok(self.ctx.git.create_user(req).await?)`
	`244`	`+ }`
`238`	`245`	`Err(e) => Err(e.into()),`
`239`	`246`	`}`
`240`	`247`	`}`