diff --git a/go.mod b/go.mod index 4e6b581..30131c9 100644 --- a/go.mod +++ b/go.mod @@ -5,4 +5,5 @@ go 1.16 require ( github.com/gorilla/sessions v1.2.1 github.com/mattn/go-sqlite3 v1.14.7 + golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d ) diff --git a/go.sum b/go.sum index 26f85c8..fa78e16 100644 --- a/go.sum +++ b/go.sum @@ -4,3 +4,12 @@ github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7Fsg github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM= github.com/mattn/go-sqlite3 v1.14.7 h1:fxWBnXkxfM6sRiuH3bqJ4CfzZojMOLVc0UTsTglEghA= github.com/mattn/go-sqlite3 v1.14.7/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= +golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d h1:sK3txAijHtOK88l68nt020reeT1ZdKLIYetKl95FzVY= +golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= diff --git a/pkg/database/method_user.go b/pkg/database/method_user.go index 92ff9e5..1a1404a 100644 --- a/pkg/database/method_user.go +++ b/pkg/database/method_user.go @@ -1,5 +1,10 @@ package database +import ( + "golang.org/x/crypto/bcrypt" + "log" +) + func (database *Database) Login(username string, password string) (*User, error) { database.singleThreadLock.Lock() defer database.singleThreadLock.Unlock() @@ -7,10 +12,17 @@ func (database *Database) Login(username string, password string) (*User, error) user := &User{} // get user from database - err := database.stmt.getUser.QueryRow(username, password).Scan(&user.ID, &user.Username, &user.Role, &user.Active, &user.AvatarId) + err := database.stmt.getUser.QueryRow(username).Scan(&user.ID, &user.Username, &user.Password, &user.Role, &user.Active, &user.AvatarId) if err != nil { return user, err } + + // validate password + err = database.ComparePassword(user.Password, password) + if err != nil { + return user, err + } + return user, nil } @@ -44,6 +56,9 @@ func (database *Database) Register(username string, password string, usertype in active = true } + // encrypt password + password = database.EncryptPassword(password) + database.singleThreadLock.Lock() defer database.singleThreadLock.Unlock() @@ -130,9 +145,27 @@ func (database *Database) UpdateUserPassword(id int64, password string) error { database.singleThreadLock.Lock() defer database.singleThreadLock.Unlock() + // encrypt password + password = database.EncryptPassword(password) + _, err := database.stmt.updateUserPassword.Exec(password, id) if err != nil { return err } return nil } + +func (database *Database) EncryptPassword(password string) string { + hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost) + if err != nil { + log.Println("[database] Failed to hash password, using plaintext password") + return password + } + + return string(hash) +} + +func (database *Database) ComparePassword(hashedPassword string, plainTextPassword string) error { + err := bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(plainTextPassword)) + return err +} diff --git a/pkg/database/sql_stmt.go b/pkg/database/sql_stmt.go index dce4946..bd9bb80 100644 --- a/pkg/database/sql_stmt.go +++ b/pkg/database/sql_stmt.go @@ -193,7 +193,7 @@ var countUserQuery = `SELECT count(*) FROM users;` var countAdminQuery = `SELECT count(*) FROM users WHERE role= 1;` -var getUserQuery = `SELECT id, username, role, active, avatar_id FROM users WHERE username = ? AND password = ? LIMIT 1;` +var getUserQuery = `SELECT id, username, password, role, active, avatar_id FROM users WHERE username = ? LIMIT 1;` var getUsersQuery = `SELECT id, username, role, active, avatar_id FROM users;`