electricdusk/rushlink
3
3
Fork 3
Code Issues 21 Pull Requests 2 Releases Activity

comparePassword: eliminate unsafe slice

Browse Source
This commit is contained in:
Yorick van Pelt 2023-04-30 21:20:41 +02:00
parent 11975d7911
commit f5e107e3a0
No known key found for this signature in database
GPG Key ID: A36E70F9DC014A15
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
internal/db/user.go
View File

@ -89,13 +89,14 @@ func HashPassword(password string) (string, error) {
return fmt.Sprintf("$%s$%s$%s$%s", pwdAlgo, pwdParams, encodedSalt, encodedHash), nil return fmt.Sprintf("$%s$%s$%s$%s", pwdAlgo, pwdParams, encodedSalt, encodedHash), nil
} }
var errInvalidDBPasswordFormat = errors.New("invalid password format in db")
func comparePassword(hashedPassword string, password string) (bool, error) { func comparePassword(hashedPassword string, password string) (bool, error) {
// Extract the salt and hash from the hashed password string // Extract the salt and hash from the hashed password string
fields := strings.Split(hashedPassword, "$")[1:] fields := strings.Split(hashedPassword, "$")
if len(fields) != 4 || fields[0] != pwdAlgo || fields[1] != pwdParams { if len(fields) != 5 || fields[1] != pwdAlgo || fields[2] != pwdParams {
return false, errors.New("invalid password format in db") return false, errInvalidDBPasswordFormat
} }
encodedSalt, encodedHash := fields[2], fields[3] encodedSalt, encodedHash := fields[3], fields[4]
// Decode the salt and hash from base64 // Decode the salt and hash from base64
salt, err := base64.RawStdEncoding.DecodeString(encodedSalt) salt, err := base64.RawStdEncoding.DecodeString(encodedSalt)