Perform same checks when setting kdf (#6141)

2025-10-31 02:08:20 +02:00 · 2025-08-07 23:33:27 +02:00
parent 318653b0e5
commit a0c76284fd
1 changed files with 30 additions and 27 deletions
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -66,15 +66,22 @@ pub fn routes() -> Vec<rocket::Route> {
    ]
 }

+#[derive(Debug, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct KDFData {
+    kdf: i32,
+    kdf_iterations: i32,
+    kdf_memory: Option<i32>,
+    kdf_parallelism: Option<i32>,
+}
+
 #[derive(Debug, Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct RegisterData {
    email: String,

-    kdf: Option<i32>,
-    kdf_iterations: Option<i32>,
-    kdf_memory: Option<i32>,
-    kdf_parallelism: Option<i32>,
+    #[serde(flatten)]
+    kdf: KDFData,

    #[serde(alias = "userSymmetricKey")]
    key: String,
@@ -269,16 +276,7 @@ pub async fn _register(data: Json<RegisterData>, email_verification: bool, mut c
    // Make sure we don't leave a lingering invitation.
    Invitation::take(&email, &mut conn).await;

-    if let Some(client_kdf_type) = data.kdf {
-        user.client_kdf_type = client_kdf_type;
-    }
-
-    if let Some(client_kdf_iter) = data.kdf_iterations {
-        user.client_kdf_iter = client_kdf_iter;
-    }
-
-    user.client_kdf_memory = data.kdf_memory;
-    user.client_kdf_parallelism = data.kdf_parallelism;
+    set_kdf_data(&mut user, data.kdf)?;

    user.set_password(&data.master_password_hash, Some(data.key), true, None);
    user.password_hint = password_hint;
@@ -469,25 +467,15 @@ async fn post_password(data: Json<ChangePassData>, headers: Headers, mut conn: D
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct ChangeKdfData {
-    kdf: i32,
-    kdf_iterations: i32,
-    kdf_memory: Option<i32>,
-    kdf_parallelism: Option<i32>,
+    #[serde(flatten)]
+    kdf: KDFData,

    master_password_hash: String,
    new_master_password_hash: String,
    key: String,
 }

-#[post("/accounts/kdf", data = "<data>")]
-async fn post_kdf(data: Json<ChangeKdfData>, headers: Headers, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
-    let data: ChangeKdfData = data.into_inner();
-    let mut user = headers.user;
-
-    if !user.check_valid_password(&data.master_password_hash) {
-        err!("Invalid password")
-    }
-
+fn set_kdf_data(user: &mut User, data: KDFData) -> EmptyResult {
    if data.kdf == UserKdfType::Pbkdf2 as i32 && data.kdf_iterations < 100_000 {
        err!("PBKDF2 KDF iterations must be at least 100000.")
    }
@@ -518,6 +506,21 @@ async fn post_kdf(data: Json<ChangeKdfData>, headers: Headers, mut conn: DbConn,
    }
    user.client_kdf_iter = data.kdf_iterations;
    user.client_kdf_type = data.kdf;
+
+    Ok(())
+}
+
+#[post("/accounts/kdf", data = "<data>")]
+async fn post_kdf(data: Json<ChangeKdfData>, headers: Headers, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
+    let data: ChangeKdfData = data.into_inner();
+    let mut user = headers.user;
+
+    if !user.check_valid_password(&data.master_password_hash) {
+        err!("Invalid password")
+    }
+
+    set_kdf_data(&mut user, data.kdf)?;
+
    user.set_password(&data.new_master_password_hash, Some(data.key), true, None);
    let save_result = user.save(&mut conn).await;