diff options
author | Julien Dessaux | 2024-11-17 00:05:22 +0100 |
---|---|---|
committer | Julien Dessaux | 2024-12-17 23:19:18 +0100 |
commit | 25ed1188ed970a19675befef12afe68045565c4a (patch) | |
tree | 5cfc55047d833400028fb69a7f069f5cedecaacd /pkg | |
parent | fix(tfstated): hash passwords instead of relying on the database encryption key (diff) | |
download | tfstated-25ed1188ed970a19675befef12afe68045565c4a.tar.gz tfstated-25ed1188ed970a19675befef12afe68045565c4a.tar.bz2 tfstated-25ed1188ed970a19675befef12afe68045565c4a.zip |
chore(tfstated): refactor helpers to their own package
Diffstat (limited to '')
-rw-r--r-- | pkg/basic_auth/middleware.go | 16 | ||||
-rw-r--r-- | pkg/database/accounts.go | 5 | ||||
-rw-r--r-- | pkg/helpers/crypto.go | 21 | ||||
-rw-r--r-- | pkg/helpers/error.go | 17 | ||||
-rw-r--r-- | pkg/helpers/json.go (renamed from cmd/tfstated/helpers.go) | 17 | ||||
-rw-r--r-- | pkg/model/account.go | 19 |
6 files changed, 53 insertions, 42 deletions
diff --git a/pkg/basic_auth/middleware.go b/pkg/basic_auth/middleware.go index 7f8fb4a..0e22ad3 100644 --- a/pkg/basic_auth/middleware.go +++ b/pkg/basic_auth/middleware.go @@ -2,10 +2,12 @@ package basic_auth import ( "context" + "fmt" "net/http" "time" "git.adyxax.org/adyxax/tfstated/pkg/database" + "git.adyxax.org/adyxax/tfstated/pkg/helpers" "git.adyxax.org/adyxax/tfstated/pkg/model" ) @@ -15,26 +17,22 @@ func Middleware(db *database.DB) func(http.Handler) http.Handler { username, password, ok := r.BasicAuth() if !ok { w.Header().Set("WWW-Authenticate", `Basic realm="tfstated", charset="UTF-8"`) - http.Error(w, "Unauthorized", http.StatusUnauthorized) + helpers.ErrorResponse(w, http.StatusUnauthorized, fmt.Errorf("Unauthorized")) return } account, err := db.LoadAccountByUsername(username) if err != nil { - http.Error(w, "Internal Server Error", http.StatusInternalServerError) + helpers.ErrorResponse(w, http.StatusInternalServerError, err) return } - if account == nil { - http.Error(w, "Forbidden", http.StatusForbidden) - return - } - if !account.CheckPassword(password) { - http.Error(w, "Forbidden", http.StatusForbidden) + if account == nil || !account.CheckPassword(password) { + helpers.ErrorResponse(w, http.StatusForbidden, fmt.Errorf("Forbidden")) return } now := time.Now().UTC() _, err = db.Exec(`UPDATE accounts SET last_login = ? WHERE id = ?`, now.Unix(), account.Id) if err != nil { - http.Error(w, "Internal Server Error", http.StatusInternalServerError) + helpers.ErrorResponse(w, http.StatusInternalServerError, err) return } ctx := context.WithValue(r.Context(), model.AccountContextKey{}, account) diff --git a/pkg/database/accounts.go b/pkg/database/accounts.go index 6400d5a..f506155 100644 --- a/pkg/database/accounts.go +++ b/pkg/database/accounts.go @@ -7,6 +7,7 @@ import ( "log/slog" "time" + "git.adyxax.org/adyxax/tfstated/pkg/helpers" "git.adyxax.org/adyxax/tfstated/pkg/model" "go.n16f.net/uuid" ) @@ -69,8 +70,8 @@ func (db *DB) InitAdminAccount() error { if err = password.Generate(uuid.V4); err != nil { return fmt.Errorf("failed to generate initial admin password: %w", err) } - salt := model.GenerateSalt() - hash := model.HashPassword(password.String(), salt) + salt := helpers.GenerateSalt() + hash := helpers.HashPassword(password.String(), salt) if _, err = tx.ExecContext(db.ctx, `INSERT INTO accounts(username, salt, password_hash, is_admin) VALUES ("admin", :salt, :hash, TRUE) diff --git a/pkg/helpers/crypto.go b/pkg/helpers/crypto.go new file mode 100644 index 0000000..ce73cd3 --- /dev/null +++ b/pkg/helpers/crypto.go @@ -0,0 +1,21 @@ +package helpers + +import ( + "crypto/sha256" + + "git.adyxax.org/adyxax/tfstated/pkg/scrypto" + "golang.org/x/crypto/pbkdf2" +) + +const ( + PBKDF2Iterations = 600000 + SaltSize = 32 +) + +func GenerateSalt() []byte { + return scrypto.RandomBytes(SaltSize) +} + +func HashPassword(password string, salt []byte) []byte { + return pbkdf2.Key([]byte(password), salt, PBKDF2Iterations, 32, sha256.New) +} diff --git a/pkg/helpers/error.go b/pkg/helpers/error.go new file mode 100644 index 0000000..006759d --- /dev/null +++ b/pkg/helpers/error.go @@ -0,0 +1,17 @@ +package helpers + +import ( + "fmt" + "net/http" +) + +func ErrorResponse(w http.ResponseWriter, status int, err error) { + type errorResponse struct { + Msg string `json:"msg"` + Status int `json:"status"` + } + _ = Encode(w, status, &errorResponse{ + Msg: fmt.Sprintf("%+v", err), + Status: status, + }) +} diff --git a/cmd/tfstated/helpers.go b/pkg/helpers/json.go index 33e14a4..664a984 100644 --- a/cmd/tfstated/helpers.go +++ b/pkg/helpers/json.go @@ -1,4 +1,4 @@ -package main +package helpers import ( "encoding/json" @@ -7,14 +7,14 @@ import ( "net/http" ) -func decode(r *http.Request, data any) error { +func Decode(r *http.Request, data any) error { if err := json.NewDecoder(r.Body).Decode(&data); err != nil { return fmt.Errorf("failed to decode json: %w", err) } return nil } -func encode(w http.ResponseWriter, status int, data any) error { +func Encode(w http.ResponseWriter, status int, data any) error { w.Header().Set("Content-Type", "application/json") w.WriteHeader(status) if err := json.NewEncoder(w).Encode(data); err != nil { @@ -23,14 +23,3 @@ func encode(w http.ResponseWriter, status int, data any) error { } return nil } - -func errorResponse(w http.ResponseWriter, status int, err error) error { - type errorResponse struct { - Msg string `json:"msg"` - Status int `json:"status"` - } - return encode(w, status, &errorResponse{ - Msg: fmt.Sprintf("%+v", err), - Status: status, - }) -} diff --git a/pkg/model/account.go b/pkg/model/account.go index 4336dfa..7a69685 100644 --- a/pkg/model/account.go +++ b/pkg/model/account.go @@ -1,17 +1,10 @@ package model import ( - "crypto/sha256" "crypto/subtle" "time" - "git.adyxax.org/adyxax/tfstated/pkg/scrypto" - "golang.org/x/crypto/pbkdf2" -) - -const ( - PBKDF2Iterations = 600000 - SaltSize = 32 + "git.adyxax.org/adyxax/tfstated/pkg/helpers" ) type AccountContextKey struct{} @@ -28,14 +21,6 @@ type Account struct { } func (account *Account) CheckPassword(password string) bool { - hash := HashPassword(password, account.Salt) + hash := helpers.HashPassword(password, account.Salt) return subtle.ConstantTimeCompare(hash, account.PasswordHash) == 1 } - -func GenerateSalt() []byte { - return scrypto.RandomBytes(SaltSize) -} - -func HashPassword(password string, salt []byte) []byte { - return pbkdf2.Key([]byte(password), salt, PBKDF2Iterations, 32, sha256.New) -} |