electricdusk
/
rushlink
3
3
Fork 3
Code Issues 21 Pull Requests 2 Releases Activity

Compare commits

base: electricdusk:44e74b5d0cc39b7f0b1cb223b401392e6d8e778d
Branches Tags
electricdusk:master
electricdusk:sql
..
compare: electricdusk:588725b235d1331792b516b494079653e9589c61
Branches Tags
electricdusk:master
electricdusk:sql

1 Commits
44e74b5d0c ... 588725b235

Author SHA1 Message Date
Yorick van Pelt 588725b235
improve rl.authenticateUser 2023-04-30 21:26:10 +02:00
2 changed files with 6 additions and 17 deletions
Show Stats Expand all files Collapse all files

1
handlers.go
View File

@ -331,7 +331,6 @@ func (rl *rushlink) authenticateUser(w http.ResponseWriter, r *http.Request, sho
if err != nil {
rl.setWWWAuthenticate(w, r)
log.Printf("authentication failure: %s", err)
return nil
}
if (shouldBeAdmin && !user.Admin && (canAlsoBe == nil || *canAlsoBe != user.User)) {

22
internal/db/user.go
View File

@ -69,21 +69,11 @@ func Authenticate(db *gorm.DB, username string, password string) (*User, error)
const (
pwdSaltSize = 16
pwdHashSize = 32
// chosen from https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
pwdMemory = 64 * 1024
pwdThreads = 1
pwdIterations = 2
pwdParams = "m=65536,t=2,p=1,v=19"
pwdVersion = "v=19"
pwdParams = "m=65536,t=2,p=1"
pwdAlgo = "argon2id"
)
func HashPassword(password string) (string, error) {
if argon2.Version != 19 {
// go has no static asserts
panic("Unexpected argon2 version")
}
// Generate a salt for the password hash
salt := make([]byte, pwdSaltSize)
if _, err := rand.Read(salt); err != nil {
@ -91,22 +81,22 @@ func HashPassword(password string) (string, error) {
}
// Hash the password using argon2id
hash := argon2.IDKey([]byte(password), salt, pwdIterations, pwdMemory, pwdThreads, pwdHashSize)
hash := argon2.IDKey([]byte(password), salt, 2, 64*1024, 1, pwdHashSize)
// Encode the salt and hash as a string in PHC format
encodedSalt := base64.RawStdEncoding.EncodeToString(salt)
encodedHash := base64.RawStdEncoding.EncodeToString(hash)
return fmt.Sprintf("$%s$%s$%s$%s$%s", pwdAlgo, pwdVersion, pwdParams, encodedSalt, encodedHash), nil
return fmt.Sprintf("$%s$%s$%s$%s", pwdAlgo, pwdParams, encodedSalt, encodedHash), nil
}
var errInvalidDBPasswordFormat = errors.New("invalid password format in db")
func comparePassword(hashedPassword string, password string) (bool, error) {
// Extract the salt and hash from the hashed password string
fields := strings.Split(hashedPassword, "$")
if len(fields) != 6 || fields[1] != pwdAlgo || fields[2] != pwdVersion || fields[3] != pwdParams {
if len(fields) != 5 || fields[1] != pwdAlgo || fields[2] != pwdParams {
return false, errInvalidDBPasswordFormat
}
encodedSalt, encodedHash := fields[4], fields[5]
encodedSalt, encodedHash := fields[3], fields[4]
// Decode the salt and hash from base64
salt, err := base64.RawStdEncoding.DecodeString(encodedSalt)
@ -119,7 +109,7 @@ func comparePassword(hashedPassword string, password string) (bool, error) {
}
// Hash the password using the extracted salt and parameters
computedHash := argon2.IDKey([]byte(password), salt, pwdIterations, pwdMemory, pwdThreads, pwdHashSize)
computedHash := argon2.IDKey([]byte(password), salt, 2, 64*1024, 1, pwdHashSize)
// Compare the computed hash with the stored hash
return subtle.ConstantTimeCompare(hash, computedHash) == 1, nil