extern/zrok
1
1
Fork 0
mirror of https://github.com/openziti/zrok.git synced 2025-06-20 17:58:50 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #177 from openziti/passwords

Browse Source 
Password Salting and Improved Hashing (#156)
This commit is contained in:
Michael Quigley 2023-01-23 13:04:36 -05:00 committed by GitHub
commit 1265de3218
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 109 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
controller/login.go
View File

@ -26,7 +26,12 @@ func loginHandler(params account.LoginParams) middleware.Responder {
logrus.Errorf("error finding account '%v': %v", params.Body.Email, err) logrus.Errorf("error finding account '%v': %v", params.Body.Email, err)
return account.NewLoginUnauthorized() return account.NewLoginUnauthorized()
} }
if a.Password != hashPassword(params.Body.Password) { hpwd, err := rehashPassword(params.Body.Password, a.Salt)
if err != nil {
logrus.Errorf("error hashing password for '%v': %v", params.Body.Email, err)
return account.NewLoginUnauthorized()
}
if a.Password != hpwd.Password {
logrus.Errorf("password mismatch for account '%v'", params.Body.Email) logrus.Errorf("password mismatch for account '%v'", params.Body.Email)
return account.NewLoginUnauthorized() return account.NewLoginUnauthorized()
} }

43
controller/passwords.go Normal file
View File

@ -0,0 +1,43 @@
package controller
import (
"crypto/rand"
"encoding/base64"
"encoding/binary"
"github.com/michaelquigley/pfxlog"
"golang.org/x/crypto/argon2"
)
type hashedPassword struct {
Password string
Salt string
}
func salt() string {
buf := make([]byte, binary.MaxVarintLen64)
_, err := rand.Read(buf)
if err != nil {
pfxlog.Logger().Panic(err)
}
return base64.StdEncoding.EncodeToString(buf)
}
func hashPassword(password string) (*hashedPassword, error) {
return rehashPassword(password, salt())
}
func rehashPassword(password string, salt string) (*hashedPassword, error) {
s, err := base64.StdEncoding.DecodeString(salt)
if err != nil {
return nil, err
}
hash := argon2.IDKey([]byte(password), s, 1, 3*1024, 4, 32)
return &hashedPassword{
Password: base64.StdEncoding.EncodeToString(hash),
Salt: salt,
}, nil
}

8
controller/register.go
View File

@ -38,9 +38,15 @@ func (self *registerHandler) Handle(params account.RegisterParams) middleware.Re
logrus.Error(err) logrus.Error(err)
return account.NewRegisterInternalServerError() return account.NewRegisterInternalServerError()
} }
hpwd, err := hashPassword(params.Body.Password)
if err != nil {
logrus.Error(err)
return account.NewRegisterInternalServerError()
}
a := &store.Account{ a := &store.Account{
Email: ar.Email, Email: ar.Email,
Password: hashPassword(params.Body.Password), Salt: hpwd.Salt,
Password: hpwd.Password,
Token: token, Token: token,
} }
if _, err := str.CreateAccount(a, tx); err != nil { if _, err := str.CreateAccount(a, tx); err != nil {

8
controller/resetPassword.go
View File

@ -37,7 +37,13 @@ func (handler *resetPasswordHandler) Handle(params account.ResetPasswordParams)
logrus.Error(err) logrus.Error(err)
return account.NewResetPasswordNotFound() return account.NewResetPasswordNotFound()
} }
a.Password = hashPassword(params.Body.Password) hpwd, err := hashPassword(params.Body.Password)
if err != nil {
logrus.Error(err)
return account.NewResetPasswordRequestInternalServerError()
}
a.Salt = hpwd.Salt
a.Password = hpwd.Password
if _, err := str.UpdateAccount(a, tx); err != nil { if _, err := str.UpdateAccount(a, tx); err != nil {
logrus.Error(err) logrus.Error(err)

9
controller/store/account.go
View File

@ -8,18 +8,19 @@ import (
type Account struct { type Account struct {
Model Model
Email string Email string
Salt string
Password string Password string
Token string Token string
Limitless bool Limitless bool
} }
func (self *Store) CreateAccount(a *Account, tx *sqlx.Tx) (int, error) { func (self *Store) CreateAccount(a *Account, tx *sqlx.Tx) (int, error) {
stmt, err := tx.Prepare("insert into accounts (email, password, token, limitless) values ($1, $2, $3, $4) returning id") stmt, err := tx.Prepare("insert into accounts (email, salt, password, token, limitless) values ($1, $2, $3, $4, $5) returning id")
if err != nil { if err != nil {
return 0, errors.Wrap(err, "error preparing accounts insert statement") return 0, errors.Wrap(err, "error preparing accounts insert statement")
} }
var id int var id int
if err := stmt.QueryRow(a.Email, a.Password, a.Token, a.Limitless).Scan(&id); err != nil { if err := stmt.QueryRow(a.Email, a.Salt, a.Password, a.Token, a.Limitless).Scan(&id); err != nil {
return 0, errors.Wrap(err, "error executing accounts insert statement") return 0, errors.Wrap(err, "error executing accounts insert statement")
} }
return id, nil return id, nil
@ -50,12 +51,12 @@ func (self *Store) FindAccountWithToken(token string, tx *sqlx.Tx) (*Account, er
} }
func (self *Store) UpdateAccount(a *Account, tx *sqlx.Tx) (int, error) { func (self *Store) UpdateAccount(a *Account, tx *sqlx.Tx) (int, error) {
stmt, err := tx.Prepare("update accounts set email=$1, password=$2, token=$3, limitless=$4 where id = $5") stmt, err := tx.Prepare("update accounts set email=$1, salt=$2, password=$3, token=$4, limitless=$5 where id = $6")
if err != nil { if err != nil {
return 0, errors.Wrap(err, "error preparing accounts update statement") return 0, errors.Wrap(err, "error preparing accounts update statement")
} }
var id int var id int
if _, err := stmt.Exec(a.Email, a.Password, a.Token, a.Limitless, a.Id); err != nil { if _, err := stmt.Exec(a.Email, a.Salt, a.Password, a.Token, a.Limitless, a.Id); err != nil {
return 0, errors.Wrap(err, "error executing accounts update statement") return 0, errors.Wrap(err, "error executing accounts update statement")
} }
return id, nil return id, nil

38
controller/store/sql/postgresql/007_v0_3_0_salted_passwords.sql Normal file
View File

@ -0,0 +1,38 @@
-- +migrate Up
alter table accounts rename to accounts_old;
alter sequence accounts_id_seq rename to accounts_id_seq_old;
create table accounts (
id serial primary key,
email varchar(1024) not null unique,
salt varchar(16) not null default(''),
password varchar(64) not null default(''),
token varchar(32) not null unique,
limitless boolean not null default(false),
created_at timestamp not null default(current_timestamp),
updated_at timestamp not null default(current_timestamp),
constraint chk_email check (email <> ''),
constraint chk_token check(token <> '')
);
insert into accounts(id, email, token, limitless, created_at, updated_at)
select id, email, token, limitless, created_at, updated_at from accounts_old;
alter table accounts alter column salt drop default;
alter table accounts alter column password drop default;
select setval('accounts_id_seq', (select max(id) from accounts));
alter table environments drop constraint fk_accounts_id;
alter table environments add constraint fk_accounts_id foreign key (account_id) references accounts(id);
alter table password_reset_requests drop constraint fk_accounts_password_reset_requests;
alter table password_reset_requests add constraint fk_accounts_password_reset_requests foreign key (account_id) references accounts(id);
drop table accounts_old;
alter index accounts_pkey1 rename to accounts_pkey;
alter index accounts_email_key1 rename to accounts_email_key;
alter index accounts_token_key1 rename to accounts_token_key;

3
controller/store/sql/sqlite3/007_v0_3_0_salted_passwords.sql Normal file
View File

@ -0,0 +1,3 @@
-- +migrate Up
alter table accounts add column salt string;

8
controller/util.go
View File

@ -1,9 +1,7 @@
package controller package controller
import ( import (
"crypto/sha512"
"crypto/x509" "crypto/x509"
"encoding/hex"
errors2 "github.com/go-openapi/errors" errors2 "github.com/go-openapi/errors"
"github.com/jaevor/go-nanoid" "github.com/jaevor/go-nanoid"
"github.com/openziti/edge/rest_management_api_client" "github.com/openziti/edge/rest_management_api_client"
@ -83,12 +81,6 @@ func createToken() (string, error) {
return gen(), nil return gen(), nil
} }
func hashPassword(raw string) string {
hash := sha512.New()
hash.Write([]byte(raw))
return hex.EncodeToString(hash.Sum(nil))
}
func realRemoteAddress(req *http.Request) string { func realRemoteAddress(req *http.Request) string {
ip := strings.Split(req.RemoteAddr, ":")[0] ip := strings.Split(req.RemoteAddr, ":")[0]
fwdAddress := req.Header.Get("X-Forwarded-For") fwdAddress := req.Header.Get("X-Forwarded-For")