diff --git a/internal/db/user.go b/internal/db/user.go index bb307f7..d1de281 100644 --- a/internal/db/user.go +++ b/internal/db/user.go @@ -89,13 +89,14 @@ func HashPassword(password string) (string, error) { return fmt.Sprintf("$%s$%s$%s$%s", pwdAlgo, pwdParams, encodedSalt, encodedHash), nil } +var errInvalidDBPasswordFormat = errors.New("invalid password format in db") func comparePassword(hashedPassword string, password string) (bool, error) { // Extract the salt and hash from the hashed password string - fields := strings.Split(hashedPassword, "$")[1:] - if len(fields) != 4 || fields[0] != pwdAlgo || fields[1] != pwdParams { - return false, errors.New("invalid password format in db") + fields := strings.Split(hashedPassword, "$") + if len(fields) != 5 || fields[1] != pwdAlgo || fields[2] != pwdParams { + return false, errInvalidDBPasswordFormat } - encodedSalt, encodedHash := fields[2], fields[3] + encodedSalt, encodedHash := fields[3], fields[4] // Decode the salt and hash from base64 salt, err := base64.RawStdEncoding.DecodeString(encodedSalt)