From df3068728abacfc98fa19f3dba62b35f65aea731 Mon Sep 17 00:00:00 2001
From: Steven Le Rouzic <steven.lerouzic@gmail.com>
Date: Tue, 23 Apr 2024 18:30:19 +0200
Subject: Remove salt from bcrypt password, because it's useless

---
 database.go   |  10 ++--------
 model/user.go |   9 ++++-----
 timer.db      | Bin 28672 -> 28672 bytes
 timer.go      |   2 +-
 4 files changed, 7 insertions(+), 14 deletions(-)

diff --git a/database.go b/database.go
index 583974f..c53b828 100644
--- a/database.go
+++ b/database.go
@@ -7,7 +7,6 @@ import (
 	"golang.org/x/crypto/bcrypt"
 
 	"stevenlr.com/timer/model"
-	"stevenlr.com/timer/utils"
 )
 
 func initializeDatabaseV1(db *sql.DB) error {
@@ -40,7 +39,6 @@ func initializeDatabaseV1(db *sql.DB) error {
 		CREATE TABLE User (
 			Id			BLOB	NOT NULL UNIQUE,
 			Name		TEXT	NOT NULL,
-			Salt		TEXT	NOT NULL,
 			Password	BLOB	NOT NULL,
 			PRIMARY KEY (id)
 		)`)
@@ -50,17 +48,13 @@ func initializeDatabaseV1(db *sql.DB) error {
 
 	userName := "admin"
 	userPassword := "admin"
-	salt, err := utils.GenerateRandomString(33)
-	if err != nil {
-		return err
-	}
 
-	password, err := bcrypt.GenerateFromPassword([]byte(salt+userPassword), bcrypt.MinCost)
+	password, err := bcrypt.GenerateFromPassword([]byte(userPassword), bcrypt.MinCost)
 	if err != nil {
 		return err
 	}
 
-	_, err = tx.Exec(`INSERT INTO User VALUES ($1, $2, $3, $4)`, model.MakeUUID(), userName, salt, password)
+	_, err = tx.Exec(`INSERT INTO User VALUES ($1, $2, $3)`, model.MakeUUID(), userName, password)
 	if err != nil {
 		return err
 	}
diff --git a/model/user.go b/model/user.go
index 09562bd..25a2360 100644
--- a/model/user.go
+++ b/model/user.go
@@ -7,30 +7,29 @@ import (
 type User struct {
 	Id       UUID
 	Name     string
-	Salt     string
 	Password []byte
 }
 
 func GetUserByName(db *sql.DB, name string) *User {
-	row := db.QueryRow("SELECT Id, Name, Salt, Password FROM User WHERE Name=$1", name)
+	row := db.QueryRow("SELECT Id, Name, Password FROM User WHERE Name=$1", name)
 	if row == nil {
 		return nil
 	}
 
 	var user User
-	row.Scan(&user.Id, &user.Name, &user.Salt, &user.Password)
+	row.Scan(&user.Id, &user.Name, &user.Password)
 
 	return &user
 }
 
 func GetUserById(db *sql.DB, id UUID) *User {
-	row := db.QueryRow("SELECT Id, Name, Salt, Password FROM User WHERE Id=$1", id)
+	row := db.QueryRow("SELECT Id, Name, Password FROM User WHERE Id=$1", id)
 	if row == nil {
 		return nil
 	}
 
 	var user User
-	row.Scan(&user.Id, &user.Name, &user.Salt, &user.Password)
+	row.Scan(&user.Id, &user.Name, &user.Password)
 
 	return &user
 }
diff --git a/timer.db b/timer.db
index e71c0f4..606b560 100644
Binary files a/timer.db and b/timer.db differ
diff --git a/timer.go b/timer.go
index 7d5f320..4b29726 100644
--- a/timer.go
+++ b/timer.go
@@ -269,7 +269,7 @@ func (server *TimerServer) handlePostLogin(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
-	err := bcrypt.CompareHashAndPassword(user.Password, []byte(user.Salt+userPass))
+	err := bcrypt.CompareHashAndPassword(user.Password, []byte(userPass))
 	if err != nil {
 		w.WriteHeader(http.StatusBadRequest)
 		view.LoginFormError(nil, "Incorrect credentials").Render(context.Background(), w)
-- 
cgit