add password encrypt with bcrytp

go.mod

@@ -5,4 +5,5 @@ go 1.16
 require (
 	github.com/gorilla/sessions v1.2.1
 	github.com/mattn/go-sqlite3 v1.14.7
+	golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d
 )

go.sum

@@ -4,3 +4,12 @@ github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7Fsg
 github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
 github.com/mattn/go-sqlite3 v1.14.7 h1:fxWBnXkxfM6sRiuH3bqJ4CfzZojMOLVc0UTsTglEghA=
 github.com/mattn/go-sqlite3 v1.14.7/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
+golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d h1:sK3txAijHtOK88l68nt020reeT1ZdKLIYetKl95FzVY=
+golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

pkg/database/method_user.go

@@ -1,5 +1,10 @@
 package database
 
+import (
+	"golang.org/x/crypto/bcrypt"
+	"log"
+)
+
 func (database *Database) Login(username string, password string) (*User, error) {
 	database.singleThreadLock.Lock()
 	defer database.singleThreadLock.Unlock()
@@ -7,10 +12,17 @@ func (database *Database) Login(username string, password string) (*User, error)
 	user := &User{}
 
 	// get user from database
-	err := database.stmt.getUser.QueryRow(username, password).Scan(&user.ID, &user.Username, &user.Role, &user.Active, &user.AvatarId)
+	err := database.stmt.getUser.QueryRow(username).Scan(&user.ID, &user.Username, &user.Password, &user.Role, &user.Active, &user.AvatarId)
 	if err != nil {
 		return user, err
 	}
+
+	// validate password
+	err = database.ComparePassword(user.Password, password)
+	if err != nil {
+		return user, err
+	}
+
 	return user, nil
 }
 
@@ -44,6 +56,9 @@ func (database *Database) Register(username string, password string, usertype in
 		active = true
 	}
 
+	// encrypt password
+	password = database.EncryptPassword(password)
+
 	database.singleThreadLock.Lock()
 	defer database.singleThreadLock.Unlock()
 
@@ -130,9 +145,27 @@ func (database *Database) UpdateUserPassword(id int64, password string) error {
 	database.singleThreadLock.Lock()
 	defer database.singleThreadLock.Unlock()
 
+	// encrypt password
+	password = database.EncryptPassword(password)
+
 	_, err := database.stmt.updateUserPassword.Exec(password, id)
 	if err != nil {
 		return err
 	}
 	return nil
 }
+
+func (database *Database) EncryptPassword(password string) string {
+	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	if err != nil {
+		log.Println("[database] Failed to hash password, using plaintext password")
+		return password
+	}
+
+	return string(hash)
+}
+
+func (database *Database) ComparePassword(hashedPassword string, plainTextPassword string) error {
+	err := bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(plainTextPassword))
+	return err
+}

pkg/database/sql_stmt.go

@@ -193,7 +193,7 @@ var countUserQuery = `SELECT count(*) FROM users;`
 
 var countAdminQuery = `SELECT count(*) FROM users WHERE role= 1;`
 
-var getUserQuery = `SELECT id, username, role, active, avatar_id FROM users WHERE username = ? AND password = ? LIMIT 1;`
+var getUserQuery = `SELECT id, username, password, role, active, avatar_id FROM users WHERE username = ? LIMIT 1;`
 
 var getUsersQuery = `SELECT id, username, role, active, avatar_id FROM users;`