steven/timer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove salt from bcrypt password, because it's useless

Browse Source
This commit is contained in:
Steven Le Rouzic
2024-04-23 18:30:19 +02:00
parent baad757371
commit df3068728a
4 changed files with 8 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
database.go
View File

@ -7,7 +7,6 @@ import (
"golang.org/x/crypto/bcrypt" "golang.org/x/crypto/bcrypt"
"stevenlr.com/timer/model" "stevenlr.com/timer/model"
"stevenlr.com/timer/utils"
) )
func initializeDatabaseV1(db *sql.DB) error { func initializeDatabaseV1(db *sql.DB) error {
@ -40,7 +39,6 @@ func initializeDatabaseV1(db *sql.DB) error {
CREATE TABLE User ( CREATE TABLE User (
Id BLOB NOT NULL UNIQUE, Id BLOB NOT NULL UNIQUE,
Name TEXT NOT NULL, Name TEXT NOT NULL,
Salt TEXT NOT NULL,
Password BLOB NOT NULL, Password BLOB NOT NULL,
PRIMARY KEY (id) PRIMARY KEY (id)
)`) )`)
@ -50,17 +48,13 @@ func initializeDatabaseV1(db *sql.DB) error {
userName := "admin" userName := "admin"
userPassword := "admin" userPassword := "admin"
salt, err := utils.GenerateRandomString(33)
password, err := bcrypt.GenerateFromPassword([]byte(userPassword), bcrypt.MinCost)
if err != nil { if err != nil {
return err return err
} }
password, err := bcrypt.GenerateFromPassword([]byte(salt+userPassword), bcrypt.MinCost) _, err = tx.Exec(`INSERT INTO User VALUES ($1, $2, $3)`, model.MakeUUID(), userName, password)
if err != nil {
return err
}
_, err = tx.Exec(`INSERT INTO User VALUES ($1, $2, $3, $4)`, model.MakeUUID(), userName, salt, password)
if err != nil { if err != nil {
return err return err
} }

9
model/user.go
View File

@ -7,30 +7,29 @@ import (
type User struct { type User struct {
Id UUID Id UUID
Name string Name string
Salt string
Password []byte Password []byte
} }
func GetUserByName(db *sql.DB, name string) *User { func GetUserByName(db *sql.DB, name string) *User {
row := db.QueryRow("SELECT Id, Name, Salt, Password FROM User WHERE Name=$1", name) row := db.QueryRow("SELECT Id, Name, Password FROM User WHERE Name=$1", name)
if row == nil { if row == nil {
return nil return nil
} }
var user User var user User
row.Scan(&user.Id, &user.Name, &user.Salt, &user.Password) row.Scan(&user.Id, &user.Name, &user.Password)
return &user return &user
} }
func GetUserById(db *sql.DB, id UUID) *User { func GetUserById(db *sql.DB, id UUID) *User {
row := db.QueryRow("SELECT Id, Name, Salt, Password FROM User WHERE Id=$1", id) row := db.QueryRow("SELECT Id, Name, Password FROM User WHERE Id=$1", id)
if row == nil { if row == nil {
return nil return nil
} }
var user User var user User
row.Scan(&user.Id, &user.Name, &user.Salt, &user.Password) row.Scan(&user.Id, &user.Name, &user.Password)
return &user return &user
} }

BIN
timer.db
View File

Binary file not shown.

2
timer.go
View File

@ -269,7 +269,7 @@ func (server *TimerServer) handlePostLogin(w http.ResponseWriter, r *http.Reques
return return
} }
err := bcrypt.CompareHashAndPassword(user.Password, []byte(user.Salt+userPass)) err := bcrypt.CompareHashAndPassword(user.Password, []byte(userPass))
if err != nil { if err != nil {
w.WriteHeader(http.StatusBadRequest) w.WriteHeader(http.StatusBadRequest)
view.LoginFormError(nil, "Incorrect credentials").Render(context.Background(), w) view.LoginFormError(nil, "Incorrect credentials").Render(context.Background(), w)