auth.go: use hashed/salted passwords instead of plaintext
This commit is contained in:
parent
892c4b27ac
commit
32bf03dc07
2 changed files with 8 additions and 6 deletions
8
auth.go
8
auth.go
|
|
@ -1,16 +1,18 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"crypto/subtle"
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
"database/sql"
|
||||
"fmt"
|
||||
"net/http"
|
||||
)
|
||||
|
||||
func authenticateUser(db *sql.DB, username, password string) bool {
|
||||
pass, ok := getPasswordForUser(db, username)
|
||||
hashedPassword, ok := getPasswordForUser(db, username)
|
||||
if ok {
|
||||
return subtle.ConstantTimeCompare([]byte(pass), []byte(password)) == 1
|
||||
err := bcrypt.CompareHashAndPassword(hashedPassword, []byte(password))
|
||||
//TODO: print error message?
|
||||
return err == nil
|
||||
} else {
|
||||
return false
|
||||
}
|
||||
|
|
|
|||
6
data.go
6
data.go
|
|
@ -43,14 +43,14 @@ func prepareDatabase() (*sql.DB, error) {
|
|||
return db, nil
|
||||
}
|
||||
|
||||
func getPasswordForUser(db *sql.DB, username string) (string, bool) {
|
||||
var password string
|
||||
func getPasswordForUser(db *sql.DB, username string) ([]byte, bool) {
|
||||
var password []byte
|
||||
|
||||
row := db.QueryRow("SELECT password FROM users WHERE username=$1", username)
|
||||
err := row.Scan(&password)
|
||||
if err != nil {
|
||||
if err == sql.ErrNoRows {
|
||||
return "", false
|
||||
return nil, false
|
||||
} else {
|
||||
panic(err)
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue