Compare commits
2 Commits
588725b235
...
44e74b5d0c
| Author | SHA1 | Date |
|---|---|---|
 Yorick van Pelt
|
44e74b5d0c | |
|
Yorick van Pelt
|
8f5ce1d9fc |
39
handlers.go
39
handlers.go
|
|
@ -246,22 +246,11 @@ func (rl *rushlink) viewActionSuccess(w http.ResponseWriter, r *http.Request, p
|
|||
|
||||
func (rl *rushlink) newPasteHandler(w http.ResponseWriter, r *http.Request) {
|
||||
// Check if the user is authenticated
|
||||
username, password, ok := r.BasicAuth()
|
||||
if !ok {
|
||||
// User is not authenticated, return a 401 Unauthorized response
|
||||
w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
|
||||
w.WriteHeader(http.StatusUnauthorized)
|
||||
user := rl.authenticateUser(w, r, false, nil)
|
||||
if user == nil {
|
||||
return
|
||||
}
|
||||
|
||||
// Authenticate the user
|
||||
user, err := db.Authenticate(rl.db, username, password)
|
||||
if err != nil {
|
||||
// Authentication failed, return a 401 Unauthorized response
|
||||
w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
|
||||
w.WriteHeader(http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
if err := r.ParseMultipartForm(formParseMaxMemory); err != nil {
|
||||
msg := fmt.Sprintf("could not parse form: %v\n", err)
|
||||
rl.renderError(w, r, http.StatusBadRequest, msg)
|
||||
|
|
@ -322,25 +311,33 @@ func (rl *rushlink) createUserHandler(w http.ResponseWriter, r *http.Request) {
|
|||
w.WriteHeader(http.StatusCreated)
|
||||
}
|
||||
|
||||
func (rl *rushlink) setWWWAuthenticate(w http.ResponseWriter, r *http.Request) {
|
||||
// Set authentication headers for Basic Authentication
|
||||
w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
|
||||
w.WriteHeader(http.StatusUnauthorized)
|
||||
}
|
||||
|
||||
func (rl *rushlink) authenticateUser(w http.ResponseWriter, r *http.Request, shouldBeAdmin bool, canAlsoBe *string) *db.User {
|
||||
// Check if the user is authenticated
|
||||
username, password, ok := r.BasicAuth()
|
||||
if !ok {
|
||||
// User is not authenticated, return a 401 Unauthorized response
|
||||
w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
|
||||
w.WriteHeader(http.StatusUnauthorized)
|
||||
rl.setWWWAuthenticate(w, r)
|
||||
return nil
|
||||
}
|
||||
|
||||
// Authenticate the user
|
||||
user, err := db.Authenticate(rl.db, username, password)
|
||||
if err != nil || (shouldBeAdmin && !user.Admin && (canAlsoBe == nil || *canAlsoBe != user.User)) {
|
||||
if err != nil {
|
||||
rl.setWWWAuthenticate(w, r)
|
||||
log.Printf("authentication failure: %s", err)
|
||||
return nil
|
||||
}
|
||||
|
||||
if (shouldBeAdmin && !user.Admin && (canAlsoBe == nil || *canAlsoBe != user.User)) {
|
||||
// Authentication failed, return a 401 Unauthorized response
|
||||
w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
|
||||
w.WriteHeader(http.StatusUnauthorized)
|
||||
if err != nil {
|
||||
log.Printf("authentication failure: %s", err)
|
||||
}
|
||||
rl.setWWWAuthenticate(w, r)
|
||||
log.Printf("user '%s' should be admin (or '%s'), but isn't", username, canAlsoBe)
|
||||
return nil
|
||||
}
|
||||
return user
|
||||
|
|
|
|||
|
|
@ -69,11 +69,21 @@ func Authenticate(db *gorm.DB, username string, password string) (*User, error)
|
|||
const (
|
||||
pwdSaltSize = 16
|
||||
pwdHashSize = 32
|
||||
pwdParams = "m=65536,t=2,p=1"
|
||||
|
||||
// chosen from https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
|
||||
pwdMemory = 64 * 1024
|
||||
pwdThreads = 1
|
||||
pwdIterations = 2
|
||||
pwdParams = "m=65536,t=2,p=1,v=19"
|
||||
pwdVersion = "v=19"
|
||||
pwdAlgo = "argon2id"
|
||||
)
|
||||
|
||||
func HashPassword(password string) (string, error) {
|
||||
if argon2.Version != 19 {
|
||||
// go has no static asserts
|
||||
panic("Unexpected argon2 version")
|
||||
}
|
||||
// Generate a salt for the password hash
|
||||
salt := make([]byte, pwdSaltSize)
|
||||
if _, err := rand.Read(salt); err != nil {
|
||||
|
|
@ -81,22 +91,22 @@ func HashPassword(password string) (string, error) {
|
|||
}
|
||||
|
||||
// Hash the password using argon2id
|
||||
hash := argon2.IDKey([]byte(password), salt, 2, 64*1024, 1, pwdHashSize)
|
||||
hash := argon2.IDKey([]byte(password), salt, pwdIterations, pwdMemory, pwdThreads, pwdHashSize)
|
||||
|
||||
// Encode the salt and hash as a string in PHC format
|
||||
encodedSalt := base64.RawStdEncoding.EncodeToString(salt)
|
||||
encodedHash := base64.RawStdEncoding.EncodeToString(hash)
|
||||
return fmt.Sprintf("$%s$%s$%s$%s", pwdAlgo, pwdParams, encodedSalt, encodedHash), nil
|
||||
return fmt.Sprintf("$%s$%s$%s$%s$%s", pwdAlgo, pwdVersion, pwdParams, encodedSalt, encodedHash), nil
|
||||
}
|
||||
|
||||
var errInvalidDBPasswordFormat = errors.New("invalid password format in db")
|
||||
func comparePassword(hashedPassword string, password string) (bool, error) {
|
||||
// Extract the salt and hash from the hashed password string
|
||||
fields := strings.Split(hashedPassword, "$")
|
||||
if len(fields) != 5 || fields[1] != pwdAlgo || fields[2] != pwdParams {
|
||||
if len(fields) != 6 || fields[1] != pwdAlgo || fields[2] != pwdVersion || fields[3] != pwdParams {
|
||||
return false, errInvalidDBPasswordFormat
|
||||
}
|
||||
encodedSalt, encodedHash := fields[3], fields[4]
|
||||
encodedSalt, encodedHash := fields[4], fields[5]
|
||||
|
||||
// Decode the salt and hash from base64
|
||||
salt, err := base64.RawStdEncoding.DecodeString(encodedSalt)
|
||||
|
|
@ -109,7 +119,7 @@ func comparePassword(hashedPassword string, password string) (bool, error) {
|
|||
}
|
||||
|
||||
// Hash the password using the extracted salt and parameters
|
||||
computedHash := argon2.IDKey([]byte(password), salt, 2, 64*1024, 1, pwdHashSize)
|
||||
computedHash := argon2.IDKey([]byte(password), salt, pwdIterations, pwdMemory, pwdThreads, pwdHashSize)
|
||||
|
||||
// Compare the computed hash with the stored hash
|
||||
return subtle.ConstantTimeCompare(hash, computedHash) == 1, nil
|
||||
|
|
|
|||
Loading…
Reference in New Issue