implement the new hash_password function

Author: lovasoa

examples/official-site/sqlpage/migrations/08_functions.sql

@@ -103,4 +103,36 @@ SELECT ''authentication'' AS component,
     sqlpage.basic_auth_password() AS password;
 ```
 '
+    );
+INSERT INTO sqlpage_functions ("name", "icon", "description_md")
+VALUES (
+        'hash_password',
+        'spy',
+        'Hashes a password using the [Argon2](https://en.wikipedia.org/wiki/Argon2) algorithm.
+    The resulting hash can be stored in the database and then used with the [authentication component](documentation.sql?component=authentication#component).
+
+### Example
+
+```sql
+SELECT ''form'' AS component;
+SELECT ''username'' AS name;
+SELECT ''password'' AS name, ''password'' AS type;
+
+INSERT INTO users (name, password_hash) VALUES (:username, sqlpage.hash_password(:password));
+```
+    '
+    );
+INSERT INTO sqlpage_function_parameters (
+        "function",
+        "index",
+        "name",
+        "description_md",
+        "type"
+    )
+VALUES (
+        'hash_password',
+        1,
+        'password',
+        'The password to hash.',
+        'TEXT'
     );

src/webserver/database/mod.rs

@@ -181,10 +181,24 @@ fn extract_req_param<'a>(
         StmtParam::BasicAuthUsername => extract_basic_auth_username(request)
             .map(Cow::Borrowed)
             .map(Some)?,
-        StmtParam::HashPassword(_) => todo!(),
+        StmtParam::HashPassword(inner) => {
+            if let Some(password) = extract_req_param(inner, request)? {
+                Some(Cow::Owned(hash_password(&password)?))
+            } else {
+                None
+            }
+        }
     })
 }
 
+fn hash_password(password: &str) -> anyhow::Result<String> {
+    let phf = argon2::Argon2::default();
+    let salt = password_hash::SaltString::generate(&mut password_hash::rand_core::OsRng);
+    let password_hash = &password_hash::PasswordHash::generate(phf, password, &salt)
+        .map_err(|e| anyhow!("Unable to hash password: {}", e))?;
+    Ok(password_hash.to_string())
+}
+
 #[derive(Debug)]
 pub struct ErrorWithStatus {
     pub status: StatusCode,

src/webserver/database/sql.rs

@@ -208,7 +208,7 @@ fn extract_variable_argument(
             args.as_mut_slice(),
         )),
         _ => Err(format!(
-            "{func_name}({args}) is not a valid call. Expected a literal single quoted string.",
+            "{func_name}({args}) is not a valid call. Expected either a placeholder or a sqlpage function call as argument.",
             args = arguments
                 .iter()
                 .map(ToString::to_string)
@@ -236,9 +236,12 @@ pub fn make_placeholder(db_kind: AnyKind, arg_number: usize) -> String {
 
 impl VisitorMut for ParameterExtractor {
     type Break = ();
-    fn post_visit_expr(&mut self, value: &mut Expr) -> ControlFlow<Self::Break> {
+    fn pre_visit_expr(&mut self, value: &mut Expr) -> ControlFlow<Self::Break> {
         match value {
-            Expr::Value(Value::Placeholder(param)) => {
+            Expr::Value(Value::Placeholder(param))
+                if param.chars().nth(1).is_some_and(char::is_alphabetic) =>
+            // this check is to avoid recursively replacing placeholders in the form of '?', or '$1', '$2', which we emit ourselves
+            {
                 let new_expr = self.make_placeholder();
                 let name = std::mem::take(param);
                 self.parameters.push(map_param(name));