implement the new password hashing approach (#156)

2024-11-25 09:33:43 +01:00 · 2023-01-23 12:50:24 -05:00 · 2023-01-23 12:50:24 -05:00 · b32ee6350e
commit b32ee6350e
parent 45d83d1521
6 changed files with 68 additions and 15 deletions
--- a/controller/login.go
+++ b/controller/login.go
@ -26,7 +26,12 @@ func loginHandler(params account.LoginParams) middleware.Responder {
 		logrus.Errorf("error finding account '%v': %v", params.Body.Email, err)
 		return account.NewLoginUnauthorized()
 	}
-	if a.Password != hashPassword(params.Body.Password) {
+	hpwd, err := rehashPassword(params.Body.Password, a.Salt)
+	if err != nil {
+		logrus.Errorf("error hashing password for '%v': %v", params.Body.Email, err)
+		return account.NewLoginUnauthorized()
+	}
+	if a.Password != hpwd.Password {
 		logrus.Errorf("password mismatch for account '%v'", params.Body.Email)
 		return account.NewLoginUnauthorized()
 	}
--- a/controller/passwords.go
+++ b/controller/passwords.go
@ -0,0 +1,43 @@
+package controller
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"encoding/binary"
+	"github.com/michaelquigley/pfxlog"
+	"golang.org/x/crypto/argon2"
+)
+
+type hashedPassword struct {
+	Password string
+	Salt     string
+}
+
+func salt() string {
+	buf := make([]byte, binary.MaxVarintLen64)
+	_, err := rand.Read(buf)
+
+	if err != nil {
+		pfxlog.Logger().Panic(err)
+	}
+
+	return base64.StdEncoding.EncodeToString(buf)
+}
+
+func hashPassword(password string) (*hashedPassword, error) {
+	return rehashPassword(password, salt())
+}
+
+func rehashPassword(password string, salt string) (*hashedPassword, error) {
+	s, err := base64.StdEncoding.DecodeString(salt)
+	if err != nil {
+		return nil, err
+	}
+
+	hash := argon2.IDKey([]byte(password), s, 1, 3*1024, 4, 32)
+
+	return &hashedPassword{
+		Password: base64.StdEncoding.EncodeToString(hash),
+		Salt:     salt,
+	}, nil
+}
--- a/controller/register.go
+++ b/controller/register.go
@ -38,9 +38,15 @@ func (self *registerHandler) Handle(params account.RegisterParams) middleware.Re
 		logrus.Error(err)
 		return account.NewRegisterInternalServerError()
 	}
+	hpwd, err := hashPassword(params.Body.Password)
+	if err != nil {
+		logrus.Error(err)
+		return account.NewRegisterInternalServerError()
+	}
 	a := &store.Account{
 		Email:    ar.Email,
-		Password: hashPassword(params.Body.Password),
+		Salt:     hpwd.Salt,
+		Password: hpwd.Password,
 		Token:    token,
 	}
 	if _, err := str.CreateAccount(a, tx); err != nil {
--- a/controller/resetPassword.go
+++ b/controller/resetPassword.go
@ -37,7 +37,13 @@ func (handler *resetPasswordHandler) Handle(params account.ResetPasswordParams)
 		logrus.Error(err)
 		return account.NewResetPasswordNotFound()
 	}
-	a.Password = hashPassword(params.Body.Password)
+	hpwd, err := hashPassword(params.Body.Password)
+	if err != nil {
+		logrus.Error(err)
+		return account.NewResetPasswordRequestInternalServerError()
+	}
+	a.Salt = hpwd.Salt
+	a.Password = hpwd.Password

 	if _, err := str.UpdateAccount(a, tx); err != nil {
 		logrus.Error(err)
--- a/controller/store/account.go
+++ b/controller/store/account.go
@ -8,18 +8,19 @@ import (
 type Account struct {
 	Model
 	Email     string
+	Salt      string
 	Password  string
 	Token     string
 	Limitless bool
 }

 func (self *Store) CreateAccount(a *Account, tx *sqlx.Tx) (int, error) {
-	stmt, err := tx.Prepare("insert into accounts (email, password, token, limitless) values ($1, $2, $3, $4) returning id")
+	stmt, err := tx.Prepare("insert into accounts (email, salt, password, token, limitless) values ($1, $2, $3, $4, $5) returning id")
 	if err != nil {
 		return 0, errors.Wrap(err, "error preparing accounts insert statement")
 	}
 	var id int
-	if err := stmt.QueryRow(a.Email, a.Password, a.Token, a.Limitless).Scan(&id); err != nil {
+	if err := stmt.QueryRow(a.Email, a.Salt, a.Password, a.Token, a.Limitless).Scan(&id); err != nil {
 		return 0, errors.Wrap(err, "error executing accounts insert statement")
 	}
 	return id, nil
@ -50,12 +51,12 @@ func (self *Store) FindAccountWithToken(token string, tx *sqlx.Tx) (*Account, er
 }

 func (self *Store) UpdateAccount(a *Account, tx *sqlx.Tx) (int, error) {
-	stmt, err := tx.Prepare("update accounts set email=$1, password=$2, token=$3, limitless=$4 where id = $5")
+	stmt, err := tx.Prepare("update accounts set email=$1, salt=$2, password=$3, token=$4, limitless=$5 where id = $6")
 	if err != nil {
 		return 0, errors.Wrap(err, "error preparing accounts update statement")
 	}
 	var id int
-	if _, err := stmt.Exec(a.Email, a.Password, a.Token, a.Limitless, a.Id); err != nil {
+	if _, err := stmt.Exec(a.Email, a.Salt, a.Password, a.Token, a.Limitless, a.Id); err != nil {
 		return 0, errors.Wrap(err, "error executing accounts update statement")
 	}
 	return id, nil
--- a/controller/util.go
+++ b/controller/util.go
@ -1,9 +1,7 @@
 package controller

 import (
-	"crypto/sha512"
 	"crypto/x509"
-	"encoding/hex"
 	errors2 "github.com/go-openapi/errors"
 	"github.com/jaevor/go-nanoid"
 	"github.com/openziti/edge/rest_management_api_client"
@ -83,12 +81,6 @@ func createToken() (string, error) {
 	return gen(), nil
 }

-func hashPassword(raw string) string {
-	hash := sha512.New()
-	hash.Write([]byte(raw))
-	return hex.EncodeToString(hash.Sum(nil))
-}
-
 func realRemoteAddress(req *http.Request) string {
 	ip := strings.Split(req.RemoteAddr, ":")[0]
 	fwdAddress := req.Header.Get("X-Forwarded-For")