Wrap credential and credential-holding types to prevent `Debug` leaks.

The following values are considered confidential, and should never be logged, even by accident:

* `Password`, which is a durable bearer token for a specific Login;
* `IdentitySecret`, which is an ephemeral but potentially long-lived bearer token for a specific Login; or
* `IdentityToken`, which may hold cookies containing an `IdentitySecret`.

These values are now wrapped in types whose `Debug` impls output opaque values, so that they can be included in structs that `#[derive(Debug)]` without requiring any additional care. The wrappers also avoid implementing `Display`, to prevent inadvertent `to_string()`s.

We don't bother obfuscating `IdentitySecret`s in memory or in the `.hi` database. There's no point: we'd also need to store the information needed to de-obfuscate them, and they can be freely invalidated and replaced by blanking that table and asking everyone to log in again. Passwords _are_ obfuscated for storage, as they're intended to be durable.

2 files changed, 15 insertions, 9 deletions

diff --git a/src/test/fixtures/identity.rs b/src/test/fixtures/identity.rs
index 16463aa..69b5f4c 100644
--- a/src/test/fixtures/identity.rs
+++ b/src/test/fixtures/identity.rs
@@ -1,12 +1,17 @@
 use uuid::Uuid;
 
-use crate::{app::App, clock::RequestedAt, login::extract::IdentityToken};
+use crate::{
+    app::App,
+    clock::RequestedAt,
+    login::extract::{IdentitySecret, IdentityToken},
+    password::Password,
+};
 
 pub fn not_logged_in() -> IdentityToken {
     IdentityToken::new()
 }
 
-pub async fn logged_in(app: &App, login: &(String, String), now: &RequestedAt) -> IdentityToken {
+pub async fn logged_in(app: &App, login: &(String, Password), now: &RequestedAt) -> IdentityToken {
     let (name, password) = login;
     let token = app
         .logins()
@@ -14,14 +19,14 @@ pub async fn logged_in(app: &App, login: &(String, String), now: &RequestedAt) -
         .await
         .expect("should succeed given known-valid credentials");
 
-    IdentityToken::new().set(&token)
+    IdentityToken::new().set(token)
 }
 
-pub fn secret(identity: &IdentityToken) -> &str {
+pub fn secret(identity: &IdentityToken) -> IdentitySecret {
     identity.secret().expect("identity contained a secret")
 }
 
 pub fn fictitious() -> IdentityToken {
     let token = Uuid::new_v4().to_string();
-    IdentityToken::new().set(&token)
+    IdentityToken::new().set(token)
 }
diff --git a/src/test/fixtures/login.rs b/src/test/fixtures/login.rs
index f1e4b15..d6a321b 100644
--- a/src/test/fixtures/login.rs
+++ b/src/test/fixtures/login.rs
@@ -3,10 +3,11 @@ use uuid::Uuid;
 
 use crate::{
     app::App,
+    password::Password,
     repo::login::{self, Login},
 };
 
-pub async fn create_with_password(app: &App) -> (String, String) {
+pub async fn create_with_password(app: &App) -> (String, Password) {
     let (name, password) = propose();
     app.logins()
         .create(&name, &password)
@@ -31,7 +32,7 @@ pub fn fictitious() -> Login {
     }
 }
 
-pub fn propose() -> (String, String) {
+pub fn propose() -> (String, Password) {
     (name(), propose_password())
 }
 
@@ -39,6 +40,6 @@ fn name() -> String {
     rand::random::<internet::Username>().to_string()
 }
 
-pub fn propose_password() -> String {
-    Uuid::new_v4().to_string()
+pub fn propose_password() -> Password {
+    Uuid::new_v4().to_string().into()
 }