From df3068728abacfc98fa19f3dba62b35f65aea731 Mon Sep 17 00:00:00 2001
From: Steven Le Rouzic <steven.lerouzic@gmail.com>
Date: Tue, 23 Apr 2024 18:30:19 +0200
Subject: [PATCH] Remove salt from bcrypt password, because it's useless

---
 database.go   |  12 +++---------
 model/user.go |   9 ++++-----
 timer.db      | Bin 28672 -> 28672 bytes
 timer.go      |   2 +-
 4 files changed, 8 insertions(+), 15 deletions(-)

diff --git a/database.go b/database.go
index 583974f..c53b828 100644
--- a/database.go
+++ b/database.go
@@ -7,7 +7,6 @@ import (
 	"golang.org/x/crypto/bcrypt"
 
 	"stevenlr.com/timer/model"
-	"stevenlr.com/timer/utils"
 )
 
 func initializeDatabaseV1(db *sql.DB) error {
@@ -40,7 +39,6 @@ func initializeDatabaseV1(db *sql.DB) error {
 		CREATE TABLE User (
 			Id			BLOB	NOT NULL UNIQUE,
 			Name		TEXT	NOT NULL,
-			Salt		TEXT	NOT NULL,
 			Password	BLOB	NOT NULL,
 			PRIMARY KEY (id)
 		)`)
@@ -50,17 +48,13 @@ func initializeDatabaseV1(db *sql.DB) error {
 
 	userName := "admin"
 	userPassword := "admin"
-	salt, err := utils.GenerateRandomString(33)
+
+	password, err := bcrypt.GenerateFromPassword([]byte(userPassword), bcrypt.MinCost)
 	if err != nil {
 		return err
 	}
 
-	password, err := bcrypt.GenerateFromPassword([]byte(salt+userPassword), bcrypt.MinCost)
-	if err != nil {
-		return err
-	}
-
-	_, err = tx.Exec(`INSERT INTO User VALUES ($1, $2, $3, $4)`, model.MakeUUID(), userName, salt, password)
+	_, err = tx.Exec(`INSERT INTO User VALUES ($1, $2, $3)`, model.MakeUUID(), userName, password)
 	if err != nil {
 		return err
 	}
diff --git a/model/user.go b/model/user.go
index 09562bd..25a2360 100644
--- a/model/user.go
+++ b/model/user.go
@@ -7,30 +7,29 @@ import (
 type User struct {
 	Id       UUID
 	Name     string
-	Salt     string
 	Password []byte
 }
 
 func GetUserByName(db *sql.DB, name string) *User {
-	row := db.QueryRow("SELECT Id, Name, Salt, Password FROM User WHERE Name=$1", name)
+	row := db.QueryRow("SELECT Id, Name, Password FROM User WHERE Name=$1", name)
 	if row == nil {
 		return nil
 	}
 
 	var user User
-	row.Scan(&user.Id, &user.Name, &user.Salt, &user.Password)
+	row.Scan(&user.Id, &user.Name, &user.Password)
 
 	return &user
 }
 
 func GetUserById(db *sql.DB, id UUID) *User {
-	row := db.QueryRow("SELECT Id, Name, Salt, Password FROM User WHERE Id=$1", id)
+	row := db.QueryRow("SELECT Id, Name, Password FROM User WHERE Id=$1", id)
 	if row == nil {
 		return nil
 	}
 
 	var user User
-	row.Scan(&user.Id, &user.Name, &user.Salt, &user.Password)
+	row.Scan(&user.Id, &user.Name, &user.Password)
 
 	return &user
 }
diff --git a/timer.db b/timer.db
index e71c0f41d2998b1d5069bccc733e7b8f90af3f2c..606b560f9d584240a74e3fb266ac477f18f54909 100644
GIT binary patch
delta 634
zcmZp8z}WDBae_1>+e8^>Nj3((vQA$99}H}~s~PyV@t@^i#QT%4mv{AMK>=gl$&-2g
zIR#nR#YIIKn^-5m=8fJQ$G4i1(SNg`f-8T0qaGuNj-;unPNOYjKldrtlZ6$Nc0ZIc
zE;!Fsm6lqSnr38RWTI<eqHAOvVrXV%WNBq!5Cs=A2{E*UiUD<>Tr;(J<&4j7DxYq9
zz?&H8o$TUYlv`Pp9BE?YpO=)F8CjHKqMelQZ%`iSRGAf#W$9LAQ&MCRVc;545|Wah
znOTr;S{#t#XBr-&pA)KImYM37<y?`Kl~!u#UFj93?O2|io}I_V00aUI4E%343kKZg
zpBTU{C(NwFiSBy1vc*7;&g4&zVQIAGB+gN!yNMU*Bu4%f4E!sAmd)dj2xDZ`5pQI{
z2$PiD%sdsNL=^)Q70ZCY>_Yd-2&c+$3%yEDi`0~Y;>y%u%TPaa4?oAsDzo4yb3Mll
gr>dl=q|}IV&-~oPqTo#dANeKG0vgSuu{8B40MJg+s{jB1

literal 28672
zcmeI)zi;DI00(e8$))v4ZBF7U>lWmpf<{dn$N51hI*I&n$PXuR5~ukgpz_6bE=}Sz
ziQA;v0@DqE5E4RSKsp9Cq+6Jfm>3ZY(hW>(4EG1HAYr@L(ndi@$DOJZ-zWci@7eFi
z=PARppHe9a9YbZb!Kg1AOpv%mkR<Uo!w>{Pnfr>lp9iOT;X03)XVTmqm*UGVDPs5J
z!J6j}!oBtxvHqRsC(pyR-_}1eBM1<H00bZa0SG_<0uX=z1Rx-|-Sjq1svTWXr&6b{
zj-)|X)iW2-l|-43Nj#G&B>6hCa0gQ?oF#49PkHBF*9yI{L4FW6<a<4}I#x&4e&cBw
zQY<d;jFrM{-J~cgqnL-dP>fTBqQn%cg1}S@nNpSaS-AzduTqr6*QJYWJG~<JjAiMf
zJRVO5Bjsv|_9J3BlaG}fOpb3bTOGw~7VmxihMRtCgCy*pkB2>TW_lnW8v{FjU^Vg}
zU>)7_4!J_pH2Gn`?$jB9CFQu%Ej#@`^~;b)hE>XvKJ&U_=Pb!8PIPs&z-V{c9+Cy9
z%f44oGG{1Wr<=Y@{}YPc#RJYhxx9{lzcparYR%<Wt)JSOb+|<k9&!CE>k<J15P$##
zAOHafKmY;|fB*y_a18?UUB{~LPB`qF-z7hBydP*y?tJr0^Wp8Ezx`33DdxtpTxf?4
z?Qj8!WA}ogy<oJtERFp5&mSK7jpNV1)L;Gd*X>7j<3yVk0+DFC(9fphAwgpWp;aE$
z>%nY|Yvl5^ZbF~%+#uZK6*ZkN9<#k#t=LQiPY3&ar}IX;dM`MAr#Urpt^QHHEX!Of
zB?nIDJLIa5K5MX9<?j#1J72t}iSl~o`<be#+C|$~i3{$r!M#A_@Ah&M%RWt8Y_C-5
zXS?;o<V@1USuMtHNB#X#f=wzzKB0-}SuQy{Rrp%}IH?Wq>qD({6b;52)0$E~jCb#k
zvTc7;NHs&J@%?DFJSr+}J(Nhq!nvE)pjz|)C!WXGFute~0uX=z1Rwwb2tWV=5P$##
zAOL}97r5>8k&7=(9IrTil=WWW@=J+}`Ty4*{@JU;lMsLa1Rwwb2tWV=5P$##AOL~?
zfxvq%b9usxT2bJ5*DRfSQQ!Zq_5Y-2MwlA{1Rwwb2tWV=5P$##AOHafKmY>IU107c
z-9B2KyB3%F%Syka%OP2q^eU0mwm;rVAH|IQsZ!1dyGEpw&#BYWkuFzGDqOFb)mxjK
zyvc?(<$*t3ueSYfmTT?EP{?LGC*n-q6)S2=)F)Fd-Yb<e(_FuO$gz`2G$Kx$jfnOA
zpY%L2*Z)8F4x&H^KmY;|fB*y_009U<00Izz00gc<;C%i6<^Msz`u}Sf2vi9H2tWV=
W5P$##AOHafKmY<Sr@%|R{{JsHv+-g8

diff --git a/timer.go b/timer.go
index 7d5f320..4b29726 100644
--- a/timer.go
+++ b/timer.go
@@ -269,7 +269,7 @@ func (server *TimerServer) handlePostLogin(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
-	err := bcrypt.CompareHashAndPassword(user.Password, []byte(user.Salt+userPass))
+	err := bcrypt.CompareHashAndPassword(user.Password, []byte(userPass))
 	if err != nil {
 		w.WriteHeader(http.StatusBadRequest)
 		view.LoginFormError(nil, "Incorrect credentials").Render(context.Background(), w)