comparePassword: eliminate unsafe slice

2023-04-30 21:20:41 +02:00 · 2023-04-30 21:20:41 +02:00 · f5e107e3a0
commit f5e107e3a0
parent 11975d7911
1 changed files with 5 additions and 4 deletions
--- a/internal/db/user.go
+++ b/internal/db/user.go
@ -89,13 +89,14 @@ func HashPassword(password string) (string, error) {
 	return fmt.Sprintf("$%s$%s$%s$%s", pwdAlgo, pwdParams, encodedSalt, encodedHash), nil
 }

+var errInvalidDBPasswordFormat = errors.New("invalid password format in db")
 func comparePassword(hashedPassword string, password string) (bool, error) {
 	// Extract the salt and hash from the hashed password string
-	fields := strings.Split(hashedPassword, "$")[1:]
-	if len(fields) != 4 || fields[0] != pwdAlgo || fields[1] != pwdParams {
-		return false, errors.New("invalid password format in db")
+	fields := strings.Split(hashedPassword, "$")
+	if len(fields) != 5 || fields[1] != pwdAlgo || fields[2] != pwdParams {
+		return false, errInvalidDBPasswordFormat
 	}
-	encodedSalt, encodedHash := fields[2], fields[3]
+	encodedSalt, encodedHash := fields[3], fields[4]

 	// Decode the salt and hash from base64
 	salt, err := base64.RawStdEncoding.DecodeString(encodedSalt)