From 42e89fa169ae04b89cfbd7482af7c50bea3aecf2 Mon Sep 17 00:00:00 2001 From: Pat Garrity Date: Tue, 3 Feb 2026 07:39:22 -0600 Subject: [PATCH] Bit of docs --- .../scala/gs/smolban/db/doobie/DoobieAuthDb.scala | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/modules/db/src/main/scala/gs/smolban/db/doobie/DoobieAuthDb.scala b/modules/db/src/main/scala/gs/smolban/db/doobie/DoobieAuthDb.scala index dd82df6..885a2e8 100644 --- a/modules/db/src/main/scala/gs/smolban/db/doobie/DoobieAuthDb.scala +++ b/modules/db/src/main/scala/gs/smolban/db/doobie/DoobieAuthDb.scala @@ -78,7 +78,7 @@ final class DoobieAuthDb[F[_]: Sync]( initialPermissions: PermissionSet, createdAt: CreatedAt ): F[ConnectionIO[Either[DbError, User]]] = - // Prepare Password + // Prepare Password -- exchange the encrypted version for a hashed version. exchangeEncryptedForHash(initialPassword.unwrap()).map { passwordHash => // Insert the base user record. val accountId = AccountId.generate() @@ -129,6 +129,19 @@ final class DoobieAuthDb[F[_]: Sync]( } } + /** Exchange an encrypted set of bytes for a hashed set of bytes. This is used + * for credential updates. Performs a decrypt followed by a hash. + * + * This function is the _only time_ an incoming credential exists in clear + * text. Note that _generated credentials_ for service accounts are returned + * in clear text (once) so that the user can record them for integration into + * other applications. + * + * @param rsa + * The RSA encrypted bytes. + * @return + * The hashed version of the previously-encrypted data. + */ private def exchangeEncryptedForHash(rsa: RsaEncryptedBytes): F[Argon2Hash] = rsaDecryption.decrypt(rsa).flatMap(argon2.calculateHash)