From fd994ce631ce7244157f81678574e6bc420d0fcc Mon Sep 17 00:00:00 2001
From: sanine-a <sanine.not@pm.me>
Date: Wed, 10 May 2023 12:18:57 -0500
Subject: implement user logins and gatekeeping

---
 db/db.go      |  1 +
 db/session.go |  7 +++++++
 db/user.go    | 43 ++++++++++---------------------------------
 3 files changed, 18 insertions(+), 33 deletions(-)

(limited to 'db')

diff --git a/db/db.go b/db/db.go
index d9b4578..c58f6ad 100644
--- a/db/db.go
+++ b/db/db.go
@@ -56,6 +56,7 @@ type Model interface {
 	DeleteSession(session Session) error
 	TouchSession(session Session) error
 	CheckSession(session Session) (bool, error)
+	CheckSessionId(id string) (bool, error)
 	CleanSessions(maxIdle time.Duration) error
 	AllSessions() ([]Session, error)
 
diff --git a/db/session.go b/db/session.go
index 8590d2f..da081f9 100644
--- a/db/session.go
+++ b/db/session.go
@@ -90,6 +90,13 @@ func (p *Phlox) CheckSession(session Session) (bool, error) {
 }
 
 
+
+func (p *Phlox) CheckSessionId(id string) (bool, error) {
+	session := Session{ Id: id }
+	return p.CheckSession(session)
+}
+
+
 func (p *Phlox) TouchSession(session Session) error {
 	now := time.Now().UTC().Format(time.RFC3339)
 	_, err := p.db.Exec(
diff --git a/db/user.go b/db/user.go
index 27e6f89..1aff73f 100644
--- a/db/user.go
+++ b/db/user.go
@@ -1,7 +1,7 @@
 package db
 
 import (
-	"golang.org/x/crypto/bcrypt"
+	"golang.org/x/crypto/argon2"
 	"crypto/rand"
 	"encoding/base64"
 	"database/sql"
@@ -23,21 +23,8 @@ func getNextUserId(db *sql.DB) (int, error) {
 }
 
 
-func saltPassword(password string, salt []byte) []byte {
-	salted := []byte(password)
-	salted = append(salted, salt...)
-	return salted
-}
-
-
-func hashPassword(password string, salt []byte) ([]byte, error) {
-	salted := saltPassword(password, salt)
-	hash, err := bcrypt.GenerateFromPassword(salted, bcrypt.DefaultCost)
-	if err != nil {
-		return []byte{}, err
-	}
-
-	return hash, nil
+func hashPassword(password string, salt []byte) []byte {
+	return argon2.IDKey([]byte(password), salt, 1, 64*1024, 4, 32)
 }
 
 
@@ -55,10 +42,7 @@ func (p *Phlox) CreateUser(username, password string) (User, error) {
 		return user, err
 	}
 
-	hash, err := hashPassword(password, salt)
-	if err != nil {
-		return user, err
-	}
+	hash := hashPassword(password, salt)
 
 	hash64 := base64.StdEncoding.EncodeToString(hash)
 	salt64 := base64.StdEncoding.EncodeToString(salt)
@@ -86,13 +70,10 @@ func (p *Phlox) DeleteUser(user User) error {
 
 
 func (p *Phlox) SetPassword(user User, password string) error {
-	hash, err := hashPassword(password, user.Salt)
-	if err != nil {
-		return err
-	}
+	hash := hashPassword(password, user.Salt)
 	hash64 := base64.StdEncoding.EncodeToString(hash)
 
-	_, err = p.db.Exec("update users set passwordhash=? where userid=?;", hash64, user.Id)
+	_, err := p.db.Exec("update users set passwordhash=? where userid=?;", hash64, user.Id)
 	return err
 }
 
@@ -135,15 +116,11 @@ func (p *Phlox) AuthenticateUser(username, password string) (bool, User, error)
 		return false, User{}, err
 	}
 
-	salted := saltPassword(password, user.Salt)
-	err = bcrypt.CompareHashAndPassword(user.PasswordHash, salted)
-	if err != nil {
-		// bad password
-		return false, User{}, nil
-	} else {
-		// success!
-		return true, user, nil
+	hash := hashPassword(password, user.Salt)
+	for i, v := range user.PasswordHash {
+		if v != hash[i] { return false, user, nil; }
 	}
+	return true, user, nil
 }
 
 
-- 
cgit v1.2.1