mirror/cowyo
1
0
Fork 0
mirror of https://github.com/schollz/cowyo.git synced 2023-08-10 21:13:00 +03:00
Code Issues Projects Releases Wiki Activity

Passwords stored as hashes instead of on the server

Browse Source
This commit is contained in:
Zack Scholl 2016-09-10 07:45:36 -04:00
parent 87e5439854
commit ccfe66e973
3 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -32,7 +32,7 @@ This is a self-contained notepad webserver that makes sharing easy and _fast_. T
<br> <br>
**Self-destructing messages**. You can write a message that will delete itself when a user loads it (in any view). Useful for transmitting sensitive information. To use, simply add a line somewhere that says only "`self-destruct`". **Self-destructing messages**. You can write a message [that will delete itself](https://github.com/schollz/cowyo/blob/master/routes.go#L550-L553) when a user loads it (in any view). Useful for transmitting sensitive information. To use, simply add a line somewhere that says only "`self-destruct`".
![Mission impossible style self-destruction.](https://raw.githubusercontent.com/schollz/cowyo/master/static/img/help5.gif) ![Mission impossible style self-destruction.](https://raw.githubusercontent.com/schollz/cowyo/master/static/img/help5.gif)

7
routes.go
View File

@ -149,7 +149,8 @@ func encryptionRoute(c *gin.Context) {
if err != nil { if err != nil {
panic(err) panic(err)
} }
p.Locked = jsonLoad.Password hashedPassword, _ := HashPassword([]byte(jsonLoad.Password))
p.Locked = string(hashedPassword)
p.save(p.CurrentText) p.save(p.CurrentText)
c.JSON(200, gin.H{ c.JSON(200, gin.H{
"status": "posted", "status": "posted",
@ -173,7 +174,9 @@ func encryptionRoute(c *gin.Context) {
if err != nil { if err != nil {
panic(err) panic(err)
} }
if len(p.Locked) > 0 && p.Locked == jsonLoad.Password { if len(p.Locked) > 0 &&
(p.Locked == jsonLoad.Password ||
CheckPasswordHash([]byte(p.Locked), []byte(jsonLoad.Password)) == nil) {
p.Locked = "" p.Locked = ""
p.save(p.CurrentText) p.save(p.CurrentText)
c.JSON(200, gin.H{ c.JSON(200, gin.H{

15
utils.go
View File

@ -11,6 +11,8 @@ import (
"strings" "strings"
"time" "time"
"golang.org/x/crypto/bcrypt"
"github.com/jcelliott/lumber" "github.com/jcelliott/lumber"
"github.com/sergi/go-diff/diffmatchpatch" "github.com/sergi/go-diff/diffmatchpatch"
) )
@ -236,3 +238,16 @@ func GetLocalIP() string {
} }
return bestIP return bestIP
} }
// HashPassword generates a bcrypt hash of the password using work factor 14.
// https://github.com/gtank/cryptopasta/blob/master/hash.go
func HashPassword(password []byte) ([]byte, error) {
return bcrypt.GenerateFromPassword(password, 14)
}
// CheckPassword securely compares a bcrypt hashed password with its possible
// plaintext equivalent. Returns nil on success, or an error on failure.
// https://github.com/gtank/cryptopasta/blob/master/hash.go
func CheckPasswordHash(hash, password []byte) error {
return bcrypt.CompareHashAndPassword(hash, password)
}