Remove salt from bcrypt password, because it's useless
This commit is contained in:
12
database.go
12
database.go
@ -7,7 +7,6 @@ import (
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
|
||||
"stevenlr.com/timer/model"
|
||||
"stevenlr.com/timer/utils"
|
||||
)
|
||||
|
||||
func initializeDatabaseV1(db *sql.DB) error {
|
||||
@ -40,7 +39,6 @@ func initializeDatabaseV1(db *sql.DB) error {
|
||||
CREATE TABLE User (
|
||||
Id BLOB NOT NULL UNIQUE,
|
||||
Name TEXT NOT NULL,
|
||||
Salt TEXT NOT NULL,
|
||||
Password BLOB NOT NULL,
|
||||
PRIMARY KEY (id)
|
||||
)`)
|
||||
@ -50,17 +48,13 @@ func initializeDatabaseV1(db *sql.DB) error {
|
||||
|
||||
userName := "admin"
|
||||
userPassword := "admin"
|
||||
salt, err := utils.GenerateRandomString(33)
|
||||
|
||||
password, err := bcrypt.GenerateFromPassword([]byte(userPassword), bcrypt.MinCost)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
password, err := bcrypt.GenerateFromPassword([]byte(salt+userPassword), bcrypt.MinCost)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
_, err = tx.Exec(`INSERT INTO User VALUES ($1, $2, $3, $4)`, model.MakeUUID(), userName, salt, password)
|
||||
_, err = tx.Exec(`INSERT INTO User VALUES ($1, $2, $3)`, model.MakeUUID(), userName, password)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
@ -7,30 +7,29 @@ import (
|
||||
type User struct {
|
||||
Id UUID
|
||||
Name string
|
||||
Salt string
|
||||
Password []byte
|
||||
}
|
||||
|
||||
func GetUserByName(db *sql.DB, name string) *User {
|
||||
row := db.QueryRow("SELECT Id, Name, Salt, Password FROM User WHERE Name=$1", name)
|
||||
row := db.QueryRow("SELECT Id, Name, Password FROM User WHERE Name=$1", name)
|
||||
if row == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
var user User
|
||||
row.Scan(&user.Id, &user.Name, &user.Salt, &user.Password)
|
||||
row.Scan(&user.Id, &user.Name, &user.Password)
|
||||
|
||||
return &user
|
||||
}
|
||||
|
||||
func GetUserById(db *sql.DB, id UUID) *User {
|
||||
row := db.QueryRow("SELECT Id, Name, Salt, Password FROM User WHERE Id=$1", id)
|
||||
row := db.QueryRow("SELECT Id, Name, Password FROM User WHERE Id=$1", id)
|
||||
if row == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
var user User
|
||||
row.Scan(&user.Id, &user.Name, &user.Salt, &user.Password)
|
||||
row.Scan(&user.Id, &user.Name, &user.Password)
|
||||
|
||||
return &user
|
||||
}
|
||||
|
||||
2
timer.go
2
timer.go
@ -269,7 +269,7 @@ func (server *TimerServer) handlePostLogin(w http.ResponseWriter, r *http.Reques
|
||||
return
|
||||
}
|
||||
|
||||
err := bcrypt.CompareHashAndPassword(user.Password, []byte(user.Salt+userPass))
|
||||
err := bcrypt.CompareHashAndPassword(user.Password, []byte(userPass))
|
||||
if err != nil {
|
||||
w.WriteHeader(http.StatusBadRequest)
|
||||
view.LoginFormError(nil, "Incorrect credentials").Render(context.Background(), w)
|
||||
|
||||
Reference in New Issue
Block a user