heimoshuiyu/postmoogle
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

switch to password hashes

Browse Source
This commit is contained in:
Aine
2022-09-23 11:17:34 +03:00
parent ce53d85806
commit 4bf0f0dee3
5 changed files with 25 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
bot/access.go
View File

@@ -5,6 +5,7 @@ import (
"regexp" "regexp"
"strings" "strings"
"github.com/raja/argon2pw"
"gitlab.com/etke.cc/go/mxidwc" "gitlab.com/etke.cc/go/mxidwc"
"maunium.net/go/mautrix/id" "maunium.net/go/mautrix/id"
@@ -85,5 +86,9 @@ func (b *Bot) AllowAuth(email, password string) bool {
return false return false
} }
return utils.Compare(password, cfg.Password()) allow, err := argon2pw.CompareHashWithPassword(cfg.Password(), password)
if err != nil {
b.log.Warn("Password for %s is not valid: %v", email, err)
}
return allow
} }

17
bot/command_owner.go
View File

@@ -3,6 +3,8 @@ package bot
import ( import (
"context" "context"
"fmt" "fmt"
"github.com/raja/argon2pw"
) )
func (b *Bot) runStop(ctx context.Context) { func (b *Bot) runStop(ctx context.Context) {
@@ -63,8 +65,11 @@ func (b *Bot) getOption(ctx context.Context, name string) {
"To set it to a new value, send a `%s %s VALUE` command.", "To set it to a new value, send a `%s %s VALUE` command.",
name, value, b.prefix, name) name, value, b.prefix, name)
if name == roomOptionPassword { if name == roomOptionPassword {
msg = msg + "\n\n---\n\n" + msg = fmt.Sprintf("Password hash of this room is `%s`\n"+
"**Please, remove that message after reading.**" "To set it to a new value, send a `%s %s VALUE` command.\n\n"+
"---\n\n"+
"**Please, remove that message after reading.**",
value, b.prefix, name)
} }
b.SendNotice(ctx, evt.RoomID, msg) b.SendNotice(ctx, evt.RoomID, msg)
} }
@@ -91,6 +96,14 @@ func (b *Bot) setOption(ctx context.Context, name, value string) {
return return
} }
if name == roomOptionPassword {
value, err = argon2pw.GenerateSaltedHash(value)
if err != nil {
b.Error(ctx, evt.RoomID, "failed to hash password: %v", err)
return
}
}
old := cfg.Get(name) old := cfg.Get(name)
cfg.Set(name, value) cfg.Set(name, value)

3
go.mod
View File

@@ -5,12 +5,14 @@ go 1.18
require ( require (
git.sr.ht/~xn/cache/v2 v2.0.0 git.sr.ht/~xn/cache/v2 v2.0.0
github.com/emersion/go-msgauth v0.6.6 github.com/emersion/go-msgauth v0.6.6
github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21
github.com/emersion/go-smtp v0.15.0 github.com/emersion/go-smtp v0.15.0
github.com/gabriel-vasile/mimetype v1.4.1 github.com/gabriel-vasile/mimetype v1.4.1
github.com/getsentry/sentry-go v0.13.0 github.com/getsentry/sentry-go v0.13.0
github.com/jhillyerd/enmime v0.10.0 github.com/jhillyerd/enmime v0.10.0
github.com/lib/pq v1.10.6 github.com/lib/pq v1.10.6
github.com/mattn/go-sqlite3 v1.14.15 github.com/mattn/go-sqlite3 v1.14.15
github.com/raja/argon2pw v1.0.2-0.20210910183755-a391af63bd39
gitlab.com/etke.cc/go/env v1.0.0 gitlab.com/etke.cc/go/env v1.0.0
gitlab.com/etke.cc/go/logger v1.1.0 gitlab.com/etke.cc/go/logger v1.1.0
gitlab.com/etke.cc/go/mxidwc v1.0.0 gitlab.com/etke.cc/go/mxidwc v1.0.0
@@ -22,7 +24,6 @@ require (
require ( require (
github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a // indirect github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a // indirect
github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21 // indirect
github.com/gogs/chardet v0.0.0-20191104214054-4b6791f73a28 // indirect github.com/gogs/chardet v0.0.0-20191104214054-4b6791f73a28 // indirect
github.com/google/go-cmp v0.5.8 // indirect github.com/google/go-cmp v0.5.8 // indirect
github.com/gorilla/mux v1.8.0 // indirect github.com/gorilla/mux v1.8.0 // indirect

2
go.sum
View File

@@ -61,6 +61,8 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/raja/argon2pw v1.0.2-0.20210910183755-a391af63bd39 h1:2by0+lF6NfaNWhlpsv1DfBQzwbAyYUPIsMWYapek/Sk=
github.com/raja/argon2pw v1.0.2-0.20210910183755-a391af63bd39/go.mod h1:idX/fPqwjX31YMTF2iIpEpNApV2YbQhSFr4iIhJaqp4=
github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY= github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=

22
utils/utils.go
View File

@@ -1,7 +1,6 @@
package utils package utils
import ( import (
"crypto/subtle"
"strconv" "strconv"
"strings" "strings"
) )
@@ -34,24 +33,3 @@ func Bool(str string) bool {
func SanitizeBoolString(str string) string { func SanitizeBoolString(str string) string {
return strconv.FormatBool(Bool(str)) return strconv.FormatBool(Bool(str))
} }
// Compare strings with constant time to prevent timing attacks
func Compare(actual, expected string) bool {
actualb := []byte(actual)
expectedb := []byte(expected)
if expected == "" {
// Just to keep constant time
_ = subtle.ConstantTimeCompare(expectedb, expectedb) == 1
return false
}
// actual comparison
if subtle.ConstantTimeEq(int32(len(actual)), int32(len(expected))) == 1 {
return subtle.ConstantTimeCompare(actualb, expectedb) == 1
}
// Just to keep constant time
_ = subtle.ConstantTimeCompare(expectedb, expectedb) == 1
return false
}