krivahtoo · krivahtoo · Feb 16, 2026
diff --git a/crates/server/src/auth.rs b/crates/server/src/auth.rs
@@ -90,10 +90,13 @@
        .to_string()
 }

 pub fn verify_password(password: &str, hash: &str) -> bool {
     use argon2::{PasswordHash, PasswordVerifier};
 
-    let parsed_hash = PasswordHash::new(hash).expect("Invalid hash format");
+    let Ok(parsed_hash) = PasswordHash::new(hash) else {
+        return false;
+    };
+
     Argon2::default()
         .verify_password(password.as_bytes(), &parsed_hash)
         .is_ok()
@@ -170,6 +173,12 @@
         assert!(!verify_password(empty_password, &hashed));
     }
 
+    #[test]
+    fn test_verify_password_invalid_hash() {
+        // Invalid hash input should not panic and should return false.
+        assert!(!verify_password("test_password", "not-a-valid-hash"));
+    }
+
     #[test]
     fn test_auth_error_display() {
         let missing_creds = AuthError::MissingCredentials;