commit e1d8fd4bcc9889bd47b195273a5489dcd7a713e4
parent bfdeead859aab5299c2721cf9b2444ce5f89ab2a
Author: vasyahacker <vasya@magicfreedom.com>
Date: Fri, 14 Apr 2023 17:06:00 +0400
used bcrypt for user password
Diffstat:
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/ii/db.go b/ii/db.go
@@ -7,7 +7,6 @@ package ii
import (
"bufio"
"crypto/sha256"
- "encoding/base64"
"errors"
"fmt"
"io"
@@ -19,6 +18,7 @@ import (
"sync"
"sync/atomic"
"time"
+ "golang.org/x/crypto/bcrypt"
)
// This is index entry. Information about message that is loaded in memory.
@@ -906,8 +906,12 @@ func IsPassword(u string) bool {
// String is something like id + user + password
func MakeSecret(msg string) string {
h := sha256.Sum256([]byte(msg))
- s := base64.URLEncoding.EncodeToString(h[:])
- return s[0:10]
+ hash, err := bcrypt.GenerateFromPassword(h[:], bcrypt.DefaultCost)
+ if err != nil {
+ Error.Printf("bcrypt problem")
+ return "bcryptProblem"
+ }
+ return string(hash)
}
// Return secret for username or "" if no such user
@@ -929,7 +933,8 @@ func (db *UDB) Auth(User string, Passwd string) bool {
if !ok {
return false
}
- return ui.Secret == MakeSecret(User+Passwd)
+ secret := sha256.Sum256([]byte(User+Passwd))
+ return bcrypt.CompareHashAndPassword([]byte(ui.Secret), secret[:]) == nil
}
// Returns true if Secret (pauth) is valid
