chore: extend /health with hash distribution & export_stream flag

[zensgit]

Adds bcrypt/argon2 hash distribution metrics and export_stream feature flag to /health response. Non-breaking, best-effort queries.

[gemini-code-assist]

Summary of Changes

Hello @zensgit, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on improving security and observability within the application. It introduces a transparent password rehash mechanism to upgrade older bcrypt hashes to Argon2id upon user login, enhancing overall security. Concurrently, the /health endpoint has been extended to provide more detailed insights into the system's state, specifically regarding password hash distribution and the activation status of the export streaming feature. Additionally, new documentation has been added to guide performance benchmarking for the export streaming functionality.

Highlights

• Password Rehash Mechanism: Implemented an opportunistic password rehash during user login, transparently upgrading legacy bcrypt hashes to the more secure Argon2id format. This process is non-blocking and can be controlled via the REHASH_ON_LOGIN environment variable.
• Enhanced Health Endpoint: The /health endpoint now includes new metrics: a distribution count of bcrypt and Argon2 password hashes in the database, and the status of the export_stream feature flag.
• Export Streaming Benchmark Documentation: Added a new documentation file (docs/EXPORT_STREAMING_BENCH.md) detailing how to benchmark the export streaming feature, including setup, commands, and preliminary performance metrics comparing streaming versus buffered export.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[Copilot]

Pull Request Overview

This PR extends the /health endpoint with additional metrics and monitoring capabilities while adding password rehashing functionality for security improvements.

• Adds hash distribution metrics (bcrypt vs argon2 counts) to health endpoint for password security monitoring
• Introduces export_stream feature flag exposure in health status
• Implements transparent password rehashing from bcrypt to Argon2id during login with configurable toggle

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
jive-api/src/main.rs	Extends health endpoint with hash distribution metrics and export_stream feature flag
jive-api/src/handlers/auth.rs	Adds password rehashing logic from bcrypt to Argon2id with environment variable control
docs/EXPORT_STREAMING_BENCH.md	Documents benchmark procedures for export streaming feature
README.md	Updates documentation with password rehashing configuration instructions

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

[nitpick] The SQL query string has inconsistent formatting with a literal newline and extra spaces. Consider normalizing the whitespace or using a multiline string for better readability.

Suggested change

	"SELECT COUNT(*) FILTER (WHERE password_hash LIKE '$2%') AS b,\n COUNT(*) FILTER (WHERE password_hash LIKE '$argon2%') AS a FROM users"
	).fetch_one(&state.pool).await {
	r#"
	SELECT
	COUNT(*) FILTER (WHERE password_hash LIKE '$2%') AS b,
	COUNT(*) FILTER (WHERE password_hash LIKE '$argon2%') AS a
	FROM users
	"#

[Copilot]

[nitpick] Missing space after comma in tuple literal. Should be (0, 0) for consistent formatting.

Suggested change

	} else { (0,0) };
	} else { (0, 0) };

[Copilot]

Creating new Argon2 instance and generating salt on every bcrypt login creates unnecessary overhead. Consider reusing the Argon2 instance or moving this logic outside the rehash condition to avoid repeated instantiation.

[gemini-code-assist]

Code Review

This pull request introduces some valuable enhancements. The addition of password hash distribution to the /health endpoint is great for monitoring the migration from bcrypt to Argon2. The opportunistic password re-hashing on login is a solid security improvement, and making it configurable via an environment variable is a good touch. The new benchmark document for export streaming is also a great practice.

I have a couple of suggestions to improve code clarity and robustness, mainly related to parsing the environment variable and simplifying a database query block. Overall, this is a well-executed change.

[gemini-code-assist]

The logic for parsing the REHASH_ON_LOGIN environment variable is case-sensitive for the value "true" (it accepts "true" and "TRUE" but not "True"), which can be surprising. It's better to perform a case-insensitive comparison for boolean-like strings to make it more robust and user-friendly.

Suggested change

	let enable_rehash = std::env::var("REHASH_ON_LOGIN")
	.map(|v| matches!(v.as_str(), "1" | "true" | "TRUE"))
	.unwrap_or(true);
	let enable_rehash = std::env::var("REHASH_ON_LOGIN")
	.map(|v| v == "1" || v.eq_ignore_ascii_case("true"))
	.unwrap_or(true);

[gemini-code-assist]

This block is functionally correct, but it's quite dense. The if let ... else combined with an inline use sqlx::Row; statement makes it harder to read. You can refactor this for better clarity using a more functional style. The use sqlx::Row; is also redundant as it's already imported at the top of the file.

    let (bcrypt_count, argon2_count) = sqlx::query(
        "SELECT COUNT(*) FILTER (WHERE password_hash LIKE '$2%') AS b,\n                COUNT(*) FILTER (WHERE password_hash LIKE '$argon2%') AS a FROM users"
    )
    .fetch_one(&state.pool)
    .await
    .map(|row| (row.try_get("b").unwrap_or(0), row.try_get("a").unwrap_or(0)))
    .unwrap_or((0, 0));