Insecure password handling

[tomtau]

This is a cool and helpful example for setting up a Rust project with JWT, but as an example for authentication, it is dangerous in the way how it handles passwords.
There are two ways how it can be improved:

1. For the datatype in the login requests (and wherever the original password is passed around): https://github.com/pavelkrolevets/rust_jwt_auth/blob/master/src/user/mod.rs#L97 instead of having passwords as plain String, it could use, for example, SecUtf8: https://docs.rs/secstr/0.3.2/secstr/ this would prevent accidentally showing passwords in web logs etc.
2. For the model / data stored in the database: https://github.com/pavelkrolevets/rust_jwt_auth/blob/master/src/user/model.rs#L65 instead of storing plaintext passwords in the database, it could store their salted hashes, for example using Argon2: https://crates.io/crates/rust-argon2

[pavelkrolevets]

Hi Tom,

Thank you for suggestions!

1. This is helpful.
2. Its already implemented the way that password hashes https://github.com/pavelkrolevets/rust_jwt_auth/blob/master/src/user/model.rs#L67 are stored in the db https://crates.io/crates/scrypt. Ill change to Argon2 since its won a competition and the development of this lib is quite active.