From 32bf03dc07d47e30f33708d973952f58977cb50b Mon Sep 17 00:00:00 2001
From: Thomas Preisner <mail@tpreisner.de>
Date: Sat, 22 Sep 2018 14:59:15 +0200
Subject: [PATCH] auth.go: use hashed/salted passwords instead of plaintext

---
 auth.go | 8 +++++---
 data.go | 6 +++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/auth.go b/auth.go
index 6e830f6..09886d7 100644
--- a/auth.go
+++ b/auth.go
@@ -1,16 +1,18 @@
 package main
 
 import (
-	"crypto/subtle"
+	"golang.org/x/crypto/bcrypt"
 	"database/sql"
 	"fmt"
 	"net/http"
 )
 
 func authenticateUser(db *sql.DB, username, password string) bool {
-	pass, ok := getPasswordForUser(db, username)
+	hashedPassword, ok := getPasswordForUser(db, username)
 	if ok {
-		return subtle.ConstantTimeCompare([]byte(pass), []byte(password)) == 1
+		err := bcrypt.CompareHashAndPassword(hashedPassword, []byte(password))
+		//TODO: print error message?
+		return err == nil
 	} else {
 		return false
 	}
diff --git a/data.go b/data.go
index c1a19c2..bb99c7e 100644
--- a/data.go
+++ b/data.go
@@ -43,14 +43,14 @@ func prepareDatabase() (*sql.DB, error) {
 	return db, nil
 }
 
-func getPasswordForUser(db *sql.DB, username string) (string, bool) {
-	var password string
+func getPasswordForUser(db *sql.DB, username string) ([]byte, bool) {
+	var password []byte
 
 	row := db.QueryRow("SELECT password FROM users WHERE username=$1", username)
 	err := row.Scan(&password)
 	if err != nil {
 		if err == sql.ErrNoRows {
-			return "", false
+			return nil, false
 		} else {
 			panic(err)
 		}