mirrors/dozzle
1
0
Fork 0
mirror of https://github.com/amir20/dozzle.git synced 2026-01-03 11:35:00 +01:00
Code Issues Projects Releases Wiki Activity

feat: uses bcrypt hash instead (#3293)

Browse Source
This commit is contained in:
Amir Raminfar
2024-09-26 16:40:47 -07:00
committed by GitHub
parent 3c15ac225c
commit de79f03aa3
4 changed files with 37 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
internal/auth/users.go
View File

@@ -13,6 +13,7 @@ import (
"github.com/go-chi/jwtauth/v5"
"github.com/rs/zerolog/log"
"golang.org/x/crypto/bcrypt"
"gopkg.in/yaml.v3"
)
@@ -61,7 +62,11 @@ func GenerateUsers(user User, hashPassword bool) *bytes.Buffer {
buffer := &bytes.Buffer{}
if hashPassword {
user.Password = sha256sum(user.Password)
hash, err := bcrypt.GenerateFromPassword([]byte(user.Password), 11)
if err != nil {
log.Fatal().Err(err).Msg("Failed to hash password")
}
user.Password = string(hash)
}
users := UserDatabase{
@@ -93,8 +98,8 @@ func decodeUsersFromFile(path string) (UserDatabase, error) {
log.Fatal().Msgf("User %s has an empty password", username)
}
if len(user.Password) != 64 {
log.Fatal().Str("password", user.Password).Msgf("User %s has an invalid password hash", username)
if !(len(user.Password) == 64 || len(user.Password) == 60) {
log.Fatal().Str("password", user.Password).Str("user", username).Msg("Invalid password for user")
}
if user.Name == "" {
@@ -146,9 +151,10 @@ func (u *UserDatabase) FindByPassword(username, password string) *User {
return nil
}
if user.Password != sha256sum(password) {
if !CompareHashAndPassword(user.Password, password) {
return nil
}
return user
}
@@ -157,6 +163,22 @@ func sha256sum(s string) string {
return hex.EncodeToString(bytes[:])
}
func CompareHashAndPassword(hash, password string) bool {
if len(hash) == 64 {
log.Warn().Msg("Using sha256sum for password comparison. Consider using a more secure hash algorithm to protected against brute-force attacks. See https://github.com/amir20/dozzle/security/advisories/GHSA-w7qr-q9fh-fj35 for more details.")
return hash == sha256sum(password)
}
if len(hash) == 60 {
err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
return err == nil
}
log.Error().Str("hash", hash).Msg("Invalid hash length. Expecting 64 or 60 characters.")
return false
}
func UserFromContext(ctx context.Context) *User {
if user, ok := ctx.Value(remoteUser).(User); ok {
return &user