all repos — auth-boilerplate @ e20c137b8edaa2e68e8dbe16bb78cf54655749c2

A simple Go web-app boilerplate.

add salt
Marco Andronaco andronacomarco@gmail.com
Thu, 10 Oct 2024 10:43:32 +0200
commit

e20c137b8edaa2e68e8dbe16bb78cf54655749c2

parent

b30162a9cd5be5a02eeb8a33bbe54b02dd03f8a3

2 files changed, 38 insertions(+), 29 deletions(-)

jump to
M auth/auth.goauth/auth.go 
@@ -19,21 +19,26 @@ Pepper: pepper,
 	}
 }
 
-func (g Auth) HashPassword(password string) (string, error) {
-	hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password+g.Pepper), bcrypt.DefaultCost)
+func (g Auth) HashPassword(password string) (hashedPassword, salt string, err error) {
+	salt, err = g.GenerateRandomToken(16)
+	if err != nil {
+		return
+	}
+
+	bytesPassword, err := bcrypt.GenerateFromPassword([]byte(password+salt+g.Pepper), bcrypt.DefaultCost)
 	if err != nil {
-		return "", err
+		return
 	}
-	return string(hashedPassword), nil
+	hashedPassword = string(bytesPassword)
+	return
 }
 
-func (g Auth) CheckPassword(password, hash string) bool {
-	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password+g.Pepper))
-	return err == nil
+func (g Auth) CheckPassword(password, salt, hash string) bool {
+	return bcrypt.CompareHashAndPassword([]byte(hash), []byte(password+salt+g.Pepper)) == nil
 }
 
-func (g Auth) GenerateRandomToken() (string, error) {
-	token := make([]byte, 32)
+func (g Auth) GenerateRandomToken(n int) (string, error) {
+	token := make([]byte, n)
 	_, err := rand.Read(token)
 	if err != nil {
 		return "", err

@@ -42,7 +47,7 @@ return hex.EncodeToString(token), nil
 }
 
 func (g Auth) GenerateCookie(duration time.Duration) (*http.Cookie, error) {
-	sessionToken, err := g.GenerateRandomToken()
+	sessionToken, err := g.GenerateRandomToken(32)
 	if err != nil {
 		return nil, err
 	}
M main.gomain.go 
@@ -20,10 +20,10 @@ type key int
 
 type User struct {
 	gorm.Model
-	Username      string
-	Email         string
-	PasswordHash  string
-	RememberToken string
+	Username     string
+	Email        string
+	PasswordHash string
+	Salt         string
 }
 
 var (

@@ -84,21 +84,20 @@ http.Redirect(w, r, "/login", http.StatusFound)
 			return
 		}
 
-		var user User
-		db.Where("remember_token = ?", cookie.Value).First(&user)
-
-		if user.ID == 0 {
+		userID, err := ks.Get(cookie.Value)
+		if err != nil {
 			http.Redirect(w, r, "/login", http.StatusFound)
 			return
 		}
 
-		ctx := context.WithValue(r.Context(), userContextKey, user)
+		ctx := context.WithValue(r.Context(), userContextKey, *userID)
 		next(w, r.WithContext(ctx))
 	}
 }
 
-func getLoggedUser(r *http.Request) (User, bool) {
-	user, ok := r.Context().Value(userContextKey).(User)
+func getLoggedUser(r *http.Request) (user User, ok bool) {
+	userID, ok := r.Context().Value(userContextKey).(uint)
+	db.Find(&user, userID)
 	return user, ok
 }
 

@@ -130,13 +129,19 @@ username := r.FormValue("username")
 	email := r.FormValue("email")
 	password := r.FormValue("password")
 
-	hashedPassword, err := g.HashPassword(password)
+	hashedPassword, salt, err := g.HashPassword(password)
 	if err != nil {
+		log.Printf("Error: %v", err)
 		http.Error(w, "Errore durante la registrazione", http.StatusInternalServerError)
 		return
 	}
 
-	user := User{Username: username, Email: email, PasswordHash: hashedPassword}
+	user := User{
+		Username:     username,
+		Email:        email,
+		PasswordHash: hashedPassword,
+		Salt:         salt,
+	}
 	db.Create(&user)
 	http.Redirect(w, r, "/login", http.StatusFound)
 	return

@@ -151,7 +156,7 @@
 	var user User
 	db.Where("username = ?", username).First(&user)
 
-	if user.ID == 0 || !g.CheckPassword(password, user.PasswordHash) {
+	if user.ID == 0 || !g.CheckPassword(password, user.Salt, user.PasswordHash) {
 		http.Error(w, "Credenziali non valide", http.StatusUnauthorized)
 		return
 	}

@@ -168,9 +173,7 @@ if err != nil {
 		http.Error(w, "Errore nella generazione del token", http.StatusInternalServerError)
 	}
 
-	// user.RememberToken = cookie.Value
-	// db.Save(&user)
-
+	ks.Set(cookie.Value, user.ID, duration)
 	http.SetCookie(w, cookie)
 	http.Redirect(w, r, "/", http.StatusFound)
 	return

@@ -196,7 +199,7 @@ return
 	}
 
 	// Genera un token di reset
-	resetToken, err := g.GenerateRandomToken()
+	resetToken, err := g.GenerateRandomToken(32)
 	if err != nil {
 		http.Error(w, "Errore nella generazione del token di reset", http.StatusInternalServerError)
 		return

@@ -240,7 +243,7 @@
 	password := r.FormValue("password")
 
 	// Hash della nuova password
-	hashedPassword, err := g.HashPassword(password)
+	hashedPassword, salt, err := g.HashPassword(password)
 	if err != nil {
 		http.Error(w, "Errore nella modifica della password", http.StatusInternalServerError)
 		return

@@ -248,6 +251,7 @@ }
 
 	// Aggiorna l'utente con la nuova password e rimuove il token di reset
 	user.PasswordHash = hashedPassword
+	user.Salt = salt
 	db.Save(&user)
 	ks.Delete(token)