implement the new password hashing approach (#156)

This commit is contained in:
Michael Quigley 2023-01-23 12:50:24 -05:00
parent 45d83d1521
commit b32ee6350e
No known key found for this signature in database
GPG Key ID: 9B60314A9DD20A62
6 changed files with 68 additions and 15 deletions

View File

@ -26,7 +26,12 @@ func loginHandler(params account.LoginParams) middleware.Responder {
logrus.Errorf("error finding account '%v': %v", params.Body.Email, err) logrus.Errorf("error finding account '%v': %v", params.Body.Email, err)
return account.NewLoginUnauthorized() return account.NewLoginUnauthorized()
} }
if a.Password != hashPassword(params.Body.Password) { hpwd, err := rehashPassword(params.Body.Password, a.Salt)
if err != nil {
logrus.Errorf("error hashing password for '%v': %v", params.Body.Email, err)
return account.NewLoginUnauthorized()
}
if a.Password != hpwd.Password {
logrus.Errorf("password mismatch for account '%v'", params.Body.Email) logrus.Errorf("password mismatch for account '%v'", params.Body.Email)
return account.NewLoginUnauthorized() return account.NewLoginUnauthorized()
} }

43
controller/passwords.go Normal file
View File

@ -0,0 +1,43 @@
package controller
import (
"crypto/rand"
"encoding/base64"
"encoding/binary"
"github.com/michaelquigley/pfxlog"
"golang.org/x/crypto/argon2"
)
type hashedPassword struct {
Password string
Salt string
}
func salt() string {
buf := make([]byte, binary.MaxVarintLen64)
_, err := rand.Read(buf)
if err != nil {
pfxlog.Logger().Panic(err)
}
return base64.StdEncoding.EncodeToString(buf)
}
func hashPassword(password string) (*hashedPassword, error) {
return rehashPassword(password, salt())
}
func rehashPassword(password string, salt string) (*hashedPassword, error) {
s, err := base64.StdEncoding.DecodeString(salt)
if err != nil {
return nil, err
}
hash := argon2.IDKey([]byte(password), s, 1, 3*1024, 4, 32)
return &hashedPassword{
Password: base64.StdEncoding.EncodeToString(hash),
Salt: salt,
}, nil
}

View File

@ -38,9 +38,15 @@ func (self *registerHandler) Handle(params account.RegisterParams) middleware.Re
logrus.Error(err) logrus.Error(err)
return account.NewRegisterInternalServerError() return account.NewRegisterInternalServerError()
} }
hpwd, err := hashPassword(params.Body.Password)
if err != nil {
logrus.Error(err)
return account.NewRegisterInternalServerError()
}
a := &store.Account{ a := &store.Account{
Email: ar.Email, Email: ar.Email,
Password: hashPassword(params.Body.Password), Salt: hpwd.Salt,
Password: hpwd.Password,
Token: token, Token: token,
} }
if _, err := str.CreateAccount(a, tx); err != nil { if _, err := str.CreateAccount(a, tx); err != nil {

View File

@ -37,7 +37,13 @@ func (handler *resetPasswordHandler) Handle(params account.ResetPasswordParams)
logrus.Error(err) logrus.Error(err)
return account.NewResetPasswordNotFound() return account.NewResetPasswordNotFound()
} }
a.Password = hashPassword(params.Body.Password) hpwd, err := hashPassword(params.Body.Password)
if err != nil {
logrus.Error(err)
return account.NewResetPasswordRequestInternalServerError()
}
a.Salt = hpwd.Salt
a.Password = hpwd.Password
if _, err := str.UpdateAccount(a, tx); err != nil { if _, err := str.UpdateAccount(a, tx); err != nil {
logrus.Error(err) logrus.Error(err)

View File

@ -8,18 +8,19 @@ import (
type Account struct { type Account struct {
Model Model
Email string Email string
Salt string
Password string Password string
Token string Token string
Limitless bool Limitless bool
} }
func (self *Store) CreateAccount(a *Account, tx *sqlx.Tx) (int, error) { func (self *Store) CreateAccount(a *Account, tx *sqlx.Tx) (int, error) {
stmt, err := tx.Prepare("insert into accounts (email, password, token, limitless) values ($1, $2, $3, $4) returning id") stmt, err := tx.Prepare("insert into accounts (email, salt, password, token, limitless) values ($1, $2, $3, $4, $5) returning id")
if err != nil { if err != nil {
return 0, errors.Wrap(err, "error preparing accounts insert statement") return 0, errors.Wrap(err, "error preparing accounts insert statement")
} }
var id int var id int
if err := stmt.QueryRow(a.Email, a.Password, a.Token, a.Limitless).Scan(&id); err != nil { if err := stmt.QueryRow(a.Email, a.Salt, a.Password, a.Token, a.Limitless).Scan(&id); err != nil {
return 0, errors.Wrap(err, "error executing accounts insert statement") return 0, errors.Wrap(err, "error executing accounts insert statement")
} }
return id, nil return id, nil
@ -50,12 +51,12 @@ func (self *Store) FindAccountWithToken(token string, tx *sqlx.Tx) (*Account, er
} }
func (self *Store) UpdateAccount(a *Account, tx *sqlx.Tx) (int, error) { func (self *Store) UpdateAccount(a *Account, tx *sqlx.Tx) (int, error) {
stmt, err := tx.Prepare("update accounts set email=$1, password=$2, token=$3, limitless=$4 where id = $5") stmt, err := tx.Prepare("update accounts set email=$1, salt=$2, password=$3, token=$4, limitless=$5 where id = $6")
if err != nil { if err != nil {
return 0, errors.Wrap(err, "error preparing accounts update statement") return 0, errors.Wrap(err, "error preparing accounts update statement")
} }
var id int var id int
if _, err := stmt.Exec(a.Email, a.Password, a.Token, a.Limitless, a.Id); err != nil { if _, err := stmt.Exec(a.Email, a.Salt, a.Password, a.Token, a.Limitless, a.Id); err != nil {
return 0, errors.Wrap(err, "error executing accounts update statement") return 0, errors.Wrap(err, "error executing accounts update statement")
} }
return id, nil return id, nil

View File

@ -1,9 +1,7 @@
package controller package controller
import ( import (
"crypto/sha512"
"crypto/x509" "crypto/x509"
"encoding/hex"
errors2 "github.com/go-openapi/errors" errors2 "github.com/go-openapi/errors"
"github.com/jaevor/go-nanoid" "github.com/jaevor/go-nanoid"
"github.com/openziti/edge/rest_management_api_client" "github.com/openziti/edge/rest_management_api_client"
@ -83,12 +81,6 @@ func createToken() (string, error) {
return gen(), nil return gen(), nil
} }
func hashPassword(raw string) string {
hash := sha512.New()
hash.Write([]byte(raw))
return hex.EncodeToString(hash.Sum(nil))
}
func realRemoteAddress(req *http.Request) string { func realRemoteAddress(req *http.Request) string {
ip := strings.Split(req.RemoteAddr, ":")[0] ip := strings.Split(req.RemoteAddr, ":")[0]
fwdAddress := req.Header.Get("X-Forwarded-For") fwdAddress := req.Header.Get("X-Forwarded-For")