In search_username_in_csv, if stored_username == stored_username{ will always be true, so it will always pick the first line of the CSV.
I think you meant if stored_username == username {
There should have been a warning about the unused username argument. That's the first debugging clue.
warning: unused variable: `username` --> src/main.rs:45:5 |45 | username: &str, | ^^^^^^^^ help: if this is intentional, prefix it with an underscore: `_username` | = note: `#[warn(unused_variables)]` on by defaultAnd we can verify whether verify_password is receiving the expected password and stored_hash.
fn verify_password(password: &str, stored_hash: &str) -> bool { println!("password: '{}', stored_hash: '{}'", password, stored_hash);