From 43243b07c595e7b6db667c2ed7a870fedaea8cc9 Mon Sep 17 00:00:00 2001
From: catvayor <catvayor@katvayor.net>
Date: Fri, 6 Jun 2025 15:30:35 +0200
Subject: [PATCH] fix(ntfy/patch): use upstreamed HashedPassword

---
 REUSE.toml                                   |   6 -
 default.nix                                  |   6 -
 machines/nixos/web01/ntfy-sh/default.nix     |   6 +-
 machines/nixos/web01/ntfy-sh/hash-mgmt.patch | 109 -------------------
 modules/nixos/ntfy-sh/ntfy-acl.py            |  15 +--
 5 files changed, 9 insertions(+), 133 deletions(-)
 delete mode 100644 machines/nixos/web01/ntfy-sh/hash-mgmt.patch

diff --git a/REUSE.toml b/REUSE.toml
index 9c9cee3..4ec809a 100644
--- a/REUSE.toml
+++ b/REUSE.toml
@@ -41,12 +41,6 @@ SPDX-License-Identifier = "EUPL-1.2"
 path = ["modules/nixos/extranix/0001-revert-don-t-parse-md-in-js.patch", "modules/nixos/extranix/0002-chore-remove-useless-dependencies.patch", "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch", "modules/nixos/extranix/0004-fix-indentation-of-ul.patch", "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch", "patches/nixpkgs/02-action-validator.patch", "machines/nixos/vault01/k-radius/packages/04-request-dgsi-vlan.patch"]
 precedence = "closest"
 
-[[annotations]]
-SPDX-FileCopyrightText = "2025 Lubin Bailly <lubin.bailly@dgnum.eu>"
-SPDX-License-Identifier = "EUPL-1.2"
-path = ["machines/nixos/web01/ntfy-sh/hash-mgmt.patch"]
-precedence = "closest"
-
 [[annotations]]
 SPDX-FileCopyrightText = ["2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>", "2025 Lubin Bailly <lubin.bailly@dgnum.eu>"]
 SPDX-License-Identifier = "EUPL-1.2"
diff --git a/default.nix b/default.nix
index 05e0f0c..86d123f 100644
--- a/default.nix
+++ b/default.nix
@@ -151,12 +151,6 @@ let
         ];
         copyright = "2024 Lubin Bailly <lubin.bailly@dgnum.eu>";
       }
-      {
-        path = [
-          "machines/nixos/web01/ntfy-sh/hash-mgmt.patch"
-        ];
-        copyright = "2025 Lubin Bailly <lubin.bailly@dgnum.eu>";
-      }
       {
         path = [
           "patches/nixpkgs/09-rename-autocreate-to-verify_bucket_exists.patch"
diff --git a/machines/nixos/web01/ntfy-sh/default.nix b/machines/nixos/web01/ntfy-sh/default.nix
index 51de1c3..54dc0a6 100644
--- a/machines/nixos/web01/ntfy-sh/default.nix
+++ b/machines/nixos/web01/ntfy-sh/default.nix
@@ -32,7 +32,11 @@ in
   nixpkgs.overlays = [
     (_: super: {
       ntfy-sh = super.ntfy-sh.overrideAttrs (o: {
-        patches = o.patches or [ ] ++ [ ./hash-mgmt.patch ];
+        patches = o.patches or [ ] ++ [
+          (super.fetchurl {
+            url = "https://github.com/binwiederhier/ntfy/pull/1340.patch";
+          })
+        ];
       });
     })
   ];
diff --git a/machines/nixos/web01/ntfy-sh/hash-mgmt.patch b/machines/nixos/web01/ntfy-sh/hash-mgmt.patch
deleted file mode 100644
index f24ce06..0000000
--- a/machines/nixos/web01/ntfy-sh/hash-mgmt.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-From a14edcbb0f746baecd983c2bea06248ddeffe1d2 Mon Sep 17 00:00:00 2001
-From: catvayor <catvayor@katvayor.net>
-Date: Fri, 16 May 2025 18:18:19 +0200
-Subject: [PATCH] feat(auth): allow to manage hashed password directly
-
----
- cmd/user.go     | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
- user/manager.go | 13 +++++++++----
- 2 files changed, 57 insertions(+), 4 deletions(-)
-
-diff --git a/cmd/user.go b/cmd/user.go
-index af3afe54..8618fdc0 100644
---- a/cmd/user.go
-+++ b/cmd/user.go
-@@ -93,6 +93,26 @@ Example:
- You may set the NTFY_PASSWORD environment variable to pass the new password. This is 
- useful if you are updating users via scripts.
- 
-+`,
-+		},
-+		{
-+			Name:      "change-pass-hash",
-+			Aliases:   []string{"chph"},
-+			Usage:     "Changes a user's password hash",
-+			UsageText: "ntfy user change-pass USERNAME\nNTFY_PASSWORD=... ntfy user change-pass USERNAME",
-+			Action:    execUserChangePassHashed,
-+			Description: `Change the password hash for the given user.
-+
-+The new password hash will be read from STDIN, and it'll be confirmed by typing
-+it twice.
-+
-+Example:
-+  ntfy user change-pass phil
-+  NTFY_PASSWORD=.. ntfy user change-pass phil
-+
-+You may set the NTFY_PASSWORD environment variable to pass the new password hash. This is
-+useful if you are updating users via scripts.
-+
- `,
- 		},
- 		{
-@@ -256,6 +276,34 @@ func execUserChangePass(c *cli.Context) error {
- 	return nil
- }
- 
-+func execUserChangePassHashed(c *cli.Context) error {
-+	username := c.Args().Get(0)
-+	password := os.Getenv("NTFY_PASSWORD")
-+	if username == "" {
-+		return errors.New("username expected, type 'ntfy user change-pass --help' for help")
-+	} else if username == userEveryone || username == user.Everyone {
-+		return errors.New("username not allowed")
-+	}
-+	manager, err := createUserManager(c)
-+	if err != nil {
-+		return err
-+	}
-+	if _, err := manager.User(username); err == user.ErrUserNotFound {
-+		return fmt.Errorf("user %s does not exist", username)
-+	}
-+	if password == "" {
-+		password, err = readPasswordAndConfirm(c)
-+		if err != nil {
-+			return err
-+		}
-+	}
-+	if err := manager.ChangePasswordHashed(username, []byte(password)); err != nil {
-+		return err
-+	}
-+	fmt.Fprintf(c.App.ErrWriter, "changed password for user %s\n", username)
-+	return nil
-+}
-+
- func execUserChangeRole(c *cli.Context) error {
- 	username := c.Args().Get(0)
- 	role := user.Role(c.Args().Get(1))
-diff --git a/user/manager.go b/user/manager.go
-index 9f54625f..19f7be40 100644
---- a/user/manager.go
-+++ b/user/manager.go
-@@ -1191,16 +1191,21 @@ func (a *Manager) ReservationOwner(topic string) (string, error) {
- 	return ownerUserID, nil
- }
- 
-+// ChangePassword changes a user's password
-+func (a *Manager) ChangePasswordHashed(username string, hash []byte) error {
-+	if _, err := a.db.Exec(updateUserPassQuery, hash, username); err != nil {
-+		return err
-+	}
-+	return nil
-+}
-+
- // ChangePassword changes a user's password
- func (a *Manager) ChangePassword(username, password string) error {
- 	hash, err := bcrypt.GenerateFromPassword([]byte(password), a.bcryptCost)
- 	if err != nil {
- 		return err
- 	}
--	if _, err := a.db.Exec(updateUserPassQuery, hash, username); err != nil {
--		return err
--	}
--	return nil
-+	return a.ChangePasswordHashed(username, hash)
- }
- 
- // ChangeRole changes a user's role. When a role is changed from RoleUser to RoleAdmin,
--- 
-2.49.0
-
diff --git a/modules/nixos/ntfy-sh/ntfy-acl.py b/modules/nixos/ntfy-sh/ntfy-acl.py
index 4ff5d1a..88145e6 100644
--- a/modules/nixos/ntfy-sh/ntfy-acl.py
+++ b/modules/nixos/ntfy-sh/ntfy-acl.py
@@ -17,27 +17,20 @@ def create_user(u: str, role: str, passwordFile: str, hashedPassword: str):
     if passwordFile != None:
         with open(passwordFile) as pwd_fp:
             env = {"NTFY_PASSWORD": pwd_fp.read().strip()}
-
-        ntfy("user", "add", f"--role={role}", u, env=env)
     else:
-        env = {"NTFY_PASSWORD": hashedPassword}
+        env = {"NTFY_PASSWORD_HASH": hashedPassword}
 
-        ntfy("user", "add", f"--role={role}", u, env=env)
-        # HACK: add does not supports hashedPassword entry
-        ntfy("user", "change-pass-hash", u, env=env)
+    ntfy("user", "add", f"--role={role}", u, env=env)
 
 def update_user(u: str, role: str, passwordFile: str, hashedPassword: str):
     # Update the user with the required role and password
     if passwordFile != None:
         with open(passwordFile) as pwd_fp:
             env = {"NTFY_PASSWORD": pwd_fp.read().strip()}
-
-        ntfy("user", "change-pass", u, env=env)
     else:
-        env = {"NTFY_PASSWORD": hashedPassword}
-
-        ntfy("user", "change-pass-hash", u, env=env)
+        env = {"NTFY_PASSWORD_HASH": hashedPassword}
 
+    ntfy("user", "change-pass", u, env=env)
     ntfy("user", "change-role", u, role)