mirror of
https://github.com/muety/wakapi.git
synced 2023-08-10 21:12:56 +03:00
feat: use bcrypt with salts instead of md5 for hashing password (resolve #21)
This commit is contained in:
parent
625994d1e9
commit
08675bd99f
@ -5,5 +5,6 @@ WAKAPI_DB_USER=myuser
|
||||
WAKAPI_DB_PASSWORD=shhh
|
||||
WAKAPI_DB_HOST=localhost
|
||||
WAKAPI_DB_PORT=3306
|
||||
WAKAPI_PASSWORD_SALT=shhh
|
||||
WAKAPI_DEFAULT_USER_NAME=admin
|
||||
WAKAPI_DEFAULT_USER_PASSWORD=admin # CHANGE!
|
||||
WAKAPI_DEFAULT_USER_PASSWORD=admin123 # CHANGE!
|
@ -4,7 +4,7 @@ port = 3000
|
||||
base_path = /
|
||||
|
||||
[app]
|
||||
cleanup = true
|
||||
cleanup = false
|
||||
|
||||
[database]
|
||||
max_connections = 2
|
||||
|
1
go.mod
1
go.mod
@ -16,5 +16,6 @@ require (
|
||||
github.com/rubenv/sql-migrate v0.0.0-20200402132117-435005d389bc
|
||||
github.com/satori/go.uuid v1.2.0
|
||||
github.com/t-tiger/gorm-bulk-insert v0.0.0-20191014134946-beb77b81825f
|
||||
golang.org/x/crypto v0.0.0-20191122220453-ac88ee75c92c
|
||||
gopkg.in/ini.v1 v1.50.0
|
||||
)
|
||||
|
@ -101,7 +101,7 @@ func (m *AuthenticateMiddleware) tryGetUserByCookie(r *http.Request) (*models.Us
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if !utils.CheckPassword(user, login.Password) {
|
||||
if !utils.CheckPassword(user, login.Password, m.config.PasswordSalt) {
|
||||
return nil, errors.New("invalid password")
|
||||
}
|
||||
} else {
|
||||
|
@ -30,6 +30,7 @@ type Config struct {
|
||||
CleanUp bool
|
||||
DefaultUserName string
|
||||
DefaultUserPassword string
|
||||
PasswordSalt string
|
||||
SecureCookieHashKey string
|
||||
SecureCookieBlockKey string
|
||||
CustomLanguages map[string]string
|
||||
@ -86,6 +87,7 @@ func readConfig() *Config {
|
||||
dbHost := LookupFatal("WAKAPI_DB_HOST")
|
||||
dbName := LookupFatal("WAKAPI_DB_NAME")
|
||||
dbPortStr := LookupFatal("WAKAPI_DB_PORT")
|
||||
passwordSalt := LookupFatal("WAKAPI_PASSWORD_SALT")
|
||||
defaultUserName := LookupFatal("WAKAPI_DEFAULT_USER_NAME")
|
||||
defaultUserPassword := LookupFatal("WAKAPI_DEFAULT_USER_PASSWORD")
|
||||
dbPort, err := strconv.Atoi(dbPortStr)
|
||||
@ -162,6 +164,7 @@ func readConfig() *Config {
|
||||
DbMaxConn: dbMaxConn,
|
||||
CleanUp: cleanUp,
|
||||
SecureCookie: secureCookie,
|
||||
PasswordSalt: passwordSalt,
|
||||
DefaultUserName: defaultUserName,
|
||||
DefaultUserPassword: defaultUserPassword,
|
||||
CustomLanguages: customLangs,
|
||||
|
@ -76,7 +76,7 @@ func (h *IndexHandler) Login(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
if !utils.CheckPassword(user, login.Password) {
|
||||
if !utils.CheckPassword(user, login.Password, h.config.PasswordSalt) {
|
||||
respondAlert(w, "invalid credentials", "", "", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
@ -1,10 +1,9 @@
|
||||
package services
|
||||
|
||||
import (
|
||||
"crypto/md5"
|
||||
"encoding/hex"
|
||||
"github.com/jinzhu/gorm"
|
||||
"github.com/muety/wakapi/models"
|
||||
"github.com/muety/wakapi/utils"
|
||||
uuid "github.com/satori/go.uuid"
|
||||
)
|
||||
|
||||
@ -47,14 +46,14 @@ func (srv *UserService) GetAll() ([]*models.User, error) {
|
||||
}
|
||||
|
||||
func (srv *UserService) CreateOrGet(signup *models.Signup) (*models.User, bool, error) {
|
||||
pw := md5.Sum([]byte(signup.Password))
|
||||
pwString := hex.EncodeToString(pw[:])
|
||||
apiKey := uuid.NewV4().String()
|
||||
|
||||
u := &models.User{
|
||||
ID: signup.Username,
|
||||
ApiKey: apiKey,
|
||||
Password: pwString,
|
||||
ApiKey: uuid.NewV4().String(),
|
||||
Password: signup.Password,
|
||||
}
|
||||
|
||||
if err := utils.HashPassword(u, srv.Config.PasswordSalt); err != nil {
|
||||
return nil, false, err
|
||||
}
|
||||
|
||||
result := srv.Db.FirstOrCreate(u, &models.User{ID: u.ID})
|
||||
|
@ -1,11 +1,10 @@
|
||||
package utils
|
||||
|
||||
import (
|
||||
"crypto/md5"
|
||||
"encoding/base64"
|
||||
"encoding/hex"
|
||||
"errors"
|
||||
"github.com/muety/wakapi/models"
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
"net/http"
|
||||
"regexp"
|
||||
"strings"
|
||||
@ -55,11 +54,16 @@ func ExtractCookieAuth(r *http.Request, config *models.Config) (login *models.Lo
|
||||
return login, nil
|
||||
}
|
||||
|
||||
func CheckPassword(user *models.User, password string) bool {
|
||||
passwordHash := md5.Sum([]byte(password))
|
||||
passwordHashString := hex.EncodeToString(passwordHash[:])
|
||||
if passwordHashString == user.Password {
|
||||
return true
|
||||
func CheckPassword(user *models.User, password, salt string) bool {
|
||||
err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password+salt))
|
||||
return err == nil
|
||||
}
|
||||
return false
|
||||
|
||||
// inplace
|
||||
func HashPassword(u *models.User, salt string) error {
|
||||
bytes, err := bcrypt.GenerateFromPassword([]byte(u.Password+salt), bcrypt.DefaultCost)
|
||||
if err == nil {
|
||||
u.Password = string(bytes)
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
@ -1 +1 @@
|
||||
1.4.1
|
||||
1.5.0
|
Loading…
Reference in New Issue
Block a user