universal-hashing-sha256
This commit is contained in:
parent
3bd3a52d3b
commit
1f3cb1aab9
|
|
@ -1,7 +1,9 @@
|
||||||
package crypto
|
package crypto
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"crypto/sha256"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
|
"encoding/hex"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
|
|
||||||
"github.com/authorizerdev/authorizer/server/constants"
|
"github.com/authorizerdev/authorizer/server/constants"
|
||||||
|
|
@ -125,11 +127,33 @@ func EncryptEnvData(data map[string]interface{}) (string, error) {
|
||||||
return EncryptB64(string(encryptedConfig)), nil
|
return EncryptB64(string(encryptedConfig)), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// getSHA256 calculates the SHA-256 hash of a string
|
||||||
|
func getSHA256(input string) string {
|
||||||
|
hash := sha256.New()
|
||||||
|
hash.Write([]byte(input))
|
||||||
|
return hex.EncodeToString(hash.Sum(nil))
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyPassword compares a stored hashed password with a user-provided password
|
||||||
|
func VerifyPassword(storedHashedPassword, userProvidedPassword string) error {
|
||||||
|
// CompareHashAndPassword returns nil on success
|
||||||
|
err := bcrypt.CompareHashAndPassword([]byte(storedHashedPassword), []byte(userProvidedPassword))
|
||||||
|
if err != nil {
|
||||||
|
passwordSHA256 := getSHA256(userProvidedPassword)
|
||||||
|
err = bcrypt.CompareHashAndPassword([]byte(storedHashedPassword), []byte(passwordSHA256))
|
||||||
|
}
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
// EncryptPassword is used for encrypting password
|
// EncryptPassword is used for encrypting password
|
||||||
func EncryptPassword(password string) (string, error) {
|
func EncryptPassword(password string) (string, error) {
|
||||||
pw, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
|
pw, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
password = getSHA256(password)
|
||||||
|
pw, err = bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return string(pw), nil
|
return string(pw), nil
|
||||||
|
|
|
||||||
|
|
@ -7,13 +7,13 @@ import (
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/google/uuid"
|
"github.com/google/uuid"
|
||||||
"golang.org/x/crypto/bcrypt"
|
|
||||||
|
|
||||||
log "github.com/sirupsen/logrus"
|
log "github.com/sirupsen/logrus"
|
||||||
|
|
||||||
"github.com/authorizerdev/authorizer/server/authenticators"
|
"github.com/authorizerdev/authorizer/server/authenticators"
|
||||||
"github.com/authorizerdev/authorizer/server/constants"
|
"github.com/authorizerdev/authorizer/server/constants"
|
||||||
"github.com/authorizerdev/authorizer/server/cookie"
|
"github.com/authorizerdev/authorizer/server/cookie"
|
||||||
|
"github.com/authorizerdev/authorizer/server/crypto"
|
||||||
"github.com/authorizerdev/authorizer/server/db"
|
"github.com/authorizerdev/authorizer/server/db"
|
||||||
"github.com/authorizerdev/authorizer/server/db/models"
|
"github.com/authorizerdev/authorizer/server/db/models"
|
||||||
mailService "github.com/authorizerdev/authorizer/server/email"
|
mailService "github.com/authorizerdev/authorizer/server/email"
|
||||||
|
|
@ -104,7 +104,7 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
|
||||||
return res, fmt.Errorf(`phone number is not verified`)
|
return res, fmt.Errorf(`phone number is not verified`)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
err = bcrypt.CompareHashAndPassword([]byte(*user.Password), []byte(params.Password))
|
err = crypto.VerifyPassword(*user.Password, params.Password)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Debug("Failed to compare password: ", err)
|
log.Debug("Failed to compare password: ", err)
|
||||||
return res, fmt.Errorf(`bad user credentials`)
|
return res, fmt.Errorf(`bad user credentials`)
|
||||||
|
|
|
||||||
|
|
@ -12,6 +12,7 @@ import (
|
||||||
|
|
||||||
"github.com/authorizerdev/authorizer/server/constants"
|
"github.com/authorizerdev/authorizer/server/constants"
|
||||||
"github.com/authorizerdev/authorizer/server/cookie"
|
"github.com/authorizerdev/authorizer/server/cookie"
|
||||||
|
"github.com/authorizerdev/authorizer/server/crypto"
|
||||||
"github.com/authorizerdev/authorizer/server/db"
|
"github.com/authorizerdev/authorizer/server/db"
|
||||||
"github.com/authorizerdev/authorizer/server/db/models"
|
"github.com/authorizerdev/authorizer/server/db/models"
|
||||||
"github.com/authorizerdev/authorizer/server/graph/model"
|
"github.com/authorizerdev/authorizer/server/graph/model"
|
||||||
|
|
@ -69,7 +70,7 @@ func MobileLoginResolver(ctx context.Context, params model.MobileLoginInput) (*m
|
||||||
return res, fmt.Errorf(`phone number is not verified`)
|
return res, fmt.Errorf(`phone number is not verified`)
|
||||||
}
|
}
|
||||||
|
|
||||||
err = bcrypt.CompareHashAndPassword([]byte(*user.Password), []byte(params.Password))
|
err = crypto.VerifyPassword(*user.Password, params.Password)
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Debug("Failed to compare password: ", err)
|
log.Debug("Failed to compare password: ", err)
|
||||||
|
|
|
||||||
|
|
@ -163,7 +163,7 @@ func UpdateProfileResolver(ctx context.Context, params model.UpdateProfileInput)
|
||||||
}
|
}
|
||||||
|
|
||||||
if isPasswordChanging && user.Password != nil && params.OldPassword != nil {
|
if isPasswordChanging && user.Password != nil && params.OldPassword != nil {
|
||||||
if err = bcrypt.CompareHashAndPassword([]byte(refs.StringValue(user.Password)), []byte(refs.StringValue(params.OldPassword))); err != nil {
|
if err = crypto.VerifyPassword(refs.StringValue(user.Password), refs.StringValue(params.OldPassword)); err != nil {
|
||||||
log.Debug("Failed to compare hash and old password: ", err)
|
log.Debug("Failed to compare hash and old password: ", err)
|
||||||
return res, fmt.Errorf("incorrect old password")
|
return res, fmt.Errorf("incorrect old password")
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,6 @@ import (
|
||||||
"github.com/authorizerdev/authorizer/server/crypto"
|
"github.com/authorizerdev/authorizer/server/crypto"
|
||||||
"github.com/authorizerdev/authorizer/server/memorystore"
|
"github.com/authorizerdev/authorizer/server/memorystore"
|
||||||
"github.com/gin-gonic/gin"
|
"github.com/gin-gonic/gin"
|
||||||
"golang.org/x/crypto/bcrypt"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// CreateAdminAuthToken creates the admin token based on secret key
|
// CreateAdminAuthToken creates the admin token based on secret key
|
||||||
|
|
@ -31,7 +30,7 @@ func GetAdminAuthToken(gc *gin.Context) (string, error) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
err = bcrypt.CompareHashAndPassword([]byte(token), []byte(adminSecret))
|
err = crypto.VerifyPassword(token, adminSecret)
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", fmt.Errorf(`unauthorized`)
|
return "", fmt.Errorf(`unauthorized`)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user