From 5a84ad29dd5ca794d5be82115a3a263fcc04b324 Mon Sep 17 00:00:00 2001
From: Jaya Kasa <kasa288@gmail.com>
Date: Wed, 24 Jun 2026 16:57:29 -0400
Subject: [PATCH] refactor(server-ng): move password crypto into server_common

server-ng pulled password hashing and verification from the legacy server
crate, forcing a compile-time dependency on the binary it is meant to
replace. The crypto module is three free functions over argon2 and rand
with no server-internal state, so it relocates cleanly to the shared
server_common crate.

server keeps the symbols at their original module path via a re-export, so
its own call sites are untouched. The argon2 and rand dependencies move with
the code, since crypto was their only consumer in server.

Refs #3315.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 Cargo.lock                                                    | 4 ++--
 core/server-ng/src/auth.rs                                    | 2 +-
 core/server-ng/src/users.rs                                   | 3 +--
 core/server/Cargo.toml                                        | 2 --
 core/server/src/streaming/utils/mod.rs                        | 2 +-
 core/server_common/Cargo.toml                                 | 2 ++
 .../src/streaming/utils => server_common/src}/crypto.rs       | 0
 core/server_common/src/lib.rs                                 | 1 +
 8 files changed, 8 insertions(+), 8 deletions(-)
 rename core/{server/src/streaming/utils => server_common/src}/crypto.rs (100%)

diff --git a/Cargo.lock b/Cargo.lock
index be96205a9e..ea031c3dcc 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -11493,7 +11493,6 @@ version = "0.8.1-edge.1"
 dependencies = [
  "ahash 0.8.12",
  "anyhow",
- "argon2",
  "async-channel",
  "async_zip",
  "axum",
@@ -11531,7 +11530,6 @@ dependencies = [
  "opentelemetry_sdk",
  "papaya",
  "prometheus-client",
- "rand 0.10.1",
  "ringbuffer",
  "rmp-serde",
  "rolling-file",
@@ -11647,6 +11645,7 @@ name = "server_common"
 version = "0.1.0"
 dependencies = [
  "aligned-vec",
+ "argon2",
  "bytemuck",
  "bytes",
  "compio",
@@ -11659,6 +11658,7 @@ dependencies = [
  "lending-iterator",
  "moka",
  "nix",
+ "rand 0.10.1",
  "rcgen",
  "rustls",
  "serial_test",
diff --git a/core/server-ng/src/auth.rs b/core/server-ng/src/auth.rs
index b4c5b66ebc..283d23c8b1 100644
--- a/core/server-ng/src/auth.rs
+++ b/core/server-ng/src/auth.rs
@@ -31,7 +31,7 @@ use iggy_binary_protocol::RequestHeader;
 use iggy_common::{IggyTimestamp, PersonalAccessToken, UserStatus};
 use message_bus::MessageBus;
 use metadata::impls::metadata::StreamsFrontend;
-use server::streaming::utils::crypto;
+use server_common::crypto;
 use std::cell::RefCell;
 use std::rc::Rc;
 use tracing::warn;
diff --git a/core/server-ng/src/users.rs b/core/server-ng/src/users.rs
index 524512cc71..b65ed357ab 100644
--- a/core/server-ng/src/users.rs
+++ b/core/server-ng/src/users.rs
@@ -31,8 +31,7 @@ use iggy_binary_protocol::codec::{WireDecode, WireEncode};
 use iggy_binary_protocol::requests::users::{ChangePasswordRequest, CreateUserRequest};
 use iggy_binary_protocol::{Operation, RequestHeader};
 use iggy_common::IggyError;
-use server::streaming::utils::crypto;
-use server_common::Message;
+use server_common::{Message, crypto};
 
 /// Replace a raw wire password with its Argon2 hash before replication.
 ///
diff --git a/core/server/Cargo.toml b/core/server/Cargo.toml
index 647f063759..c48abee12b 100644
--- a/core/server/Cargo.toml
+++ b/core/server/Cargo.toml
@@ -42,7 +42,6 @@ systemd = ["dep:sd-notify"]
 [dependencies]
 ahash = { workspace = true }
 anyhow = { workspace = true }
-argon2 = { workspace = true }
 async-channel = { workspace = true }
 async_zip = { workspace = true }
 axum = { workspace = true }
@@ -79,7 +78,6 @@ opentelemetry-semantic-conventions = { workspace = true }
 opentelemetry_sdk = { workspace = true }
 papaya = { workspace = true }
 prometheus-client = { workspace = true }
-rand = { workspace = true }
 ringbuffer = { workspace = true }
 rmp-serde = { workspace = true }
 rolling-file = { workspace = true }
diff --git a/core/server/src/streaming/utils/mod.rs b/core/server/src/streaming/utils/mod.rs
index 8e547aaa60..b03232126f 100644
--- a/core/server/src/streaming/utils/mod.rs
+++ b/core/server/src/streaming/utils/mod.rs
@@ -16,7 +16,7 @@
 // under the License.
 
 pub mod address;
-pub mod crypto;
 pub mod file;
 pub mod ptr;
 pub use iggy_common::random_id;
+pub use server_common::crypto;
diff --git a/core/server_common/Cargo.toml b/core/server_common/Cargo.toml
index 9b658b9e0f..2960cd11fe 100644
--- a/core/server_common/Cargo.toml
+++ b/core/server_common/Cargo.toml
@@ -25,6 +25,7 @@ publish = false
 
 [dependencies]
 aligned-vec = { workspace = true }
+argon2 = { workspace = true }
 bytemuck = { workspace = true }
 bytes = { workspace = true }
 compio = { workspace = true }
@@ -36,6 +37,7 @@ iggy_binary_protocol = { workspace = true }
 iggy_common = { workspace = true }
 lending-iterator = { workspace = true }
 moka = { workspace = true }
+rand = { workspace = true }
 rcgen = { workspace = true }
 rustls = { workspace = true }
 smallvec = { workspace = true }
diff --git a/core/server/src/streaming/utils/crypto.rs b/core/server_common/src/crypto.rs
similarity index 100%
rename from core/server/src/streaming/utils/crypto.rs
rename to core/server_common/src/crypto.rs
diff --git a/core/server_common/src/lib.rs b/core/server_common/src/lib.rs
index fcb955b5e4..5420adf154 100644
--- a/core/server_common/src/lib.rs
+++ b/core/server_common/src/lib.rs
@@ -19,6 +19,7 @@ pub mod bootstrap;
 mod buffer;
 mod certificates;
 mod consensus_message;
+pub mod crypto;
 mod deduplication;
 pub mod diagnostics;
 pub mod executor;