From 5b6da560896970c610c691dff6ed052a57ed5a1d Mon Sep 17 00:00:00 2001
From: Julien Dessaux
Date: Sat, 16 Nov 2024 00:36:17 +0100
Subject: fix(tfstated): hash passwords instead of relying on the database
 encryption key

---
 pkg/model/account.go | 42 ++++++++++++++++++++++++++++++++++--------
 1 file changed, 34 insertions(+), 8 deletions(-)

(limited to 'pkg/model')

diff --git a/pkg/model/account.go b/pkg/model/account.go
index 86032b8..4336dfa 100644
--- a/pkg/model/account.go
+++ b/pkg/model/account.go
@@ -1,15 +1,41 @@
 package model
 
-import "time"
+import (
+	"crypto/sha256"
+	"crypto/subtle"
+	"time"
+
+	"git.adyxax.org/adyxax/tfstated/pkg/scrypto"
+	"golang.org/x/crypto/pbkdf2"
+)
+
+const (
+	PBKDF2Iterations = 600000
+	SaltSize         = 32
+)
 
 type AccountContextKey struct{}
 
 type Account struct {
-	Id        int
-	Username  string
-	Password  string
-	IsAdmin   bool
-	Created   time.Time
-	LastLogin time.Time
-	Settings  any
+	Id           int
+	Username     string
+	Salt         []byte
+	PasswordHash []byte
+	IsAdmin      bool
+	Created      time.Time
+	LastLogin    time.Time
+	Settings     any
+}
+
+func (account *Account) CheckPassword(password string) bool {
+	hash := HashPassword(password, account.Salt)
+	return subtle.ConstantTimeCompare(hash, account.PasswordHash) == 1
+}
+
+func GenerateSalt() []byte {
+	return scrypto.RandomBytes(SaltSize)
+}
+
+func HashPassword(password string, salt []byte) []byte {
+	return pbkdf2.Key([]byte(password), salt, PBKDF2Iterations, 32, sha256.New)
 }
-- 
cgit v1.2.3