diff options
| author | Ryan Mehri <[email protected]> | 2020-05-11 20:41:16 -0600 |
|---|---|---|
| committer | Ryan Mehri <[email protected]> | 2020-05-11 20:41:16 -0600 |
| commit | d892cad72c1eb4ae20c1b7f1c5b9451650454c28 (patch) | |
| tree | 4563ceb597cda8339a6f49b4a3ff05c53fc67017 /backend | |
| parent | Merge pull request #15 from jackyzha0/readme (diff) | |
| download | ctrl-v-d892cad72c1eb4ae20c1b7f1c5b9451650454c28.tar.xz ctrl-v-d892cad72c1eb4ae20c1b7f1c5b9451650454c28.zip | |
Add password check on post hash
Diffstat (limited to 'backend')
| -rw-r--r-- | backend/api/api.go | 1 | ||||
| -rw-r--r-- | backend/api/routes.go | 15 | ||||
| -rw-r--r-- | backend/cache/cache.go | 10 | ||||
| -rw-r--r-- | backend/hashing/hash.go | 13 |
4 files changed, 35 insertions, 4 deletions
diff --git a/backend/api/api.go b/backend/api/api.go index 59242ef..59fecba 100644 --- a/backend/api/api.go +++ b/backend/api/api.go @@ -32,6 +32,7 @@ func Serve(port int) { r.HandleFunc("/health", healthCheckFunc) r.HandleFunc("/api", insertFunc).Methods("POST", "OPTIONS") r.HandleFunc("/api/{hash}", getHashFunc).Methods("GET", "OPTIONS") + r.HandleFunc("/api/{hash}", getHashWithPasswordFunc).Methods("POST", "OPTIONS") http.Handle("/", r) diff --git a/backend/api/routes.go b/backend/api/routes.go index 7fb2114..6b9ba43 100644 --- a/backend/api/routes.go +++ b/backend/api/routes.go @@ -52,12 +52,25 @@ func insertFunc(w http.ResponseWriter, r *http.Request) { } func getHashFunc(w http.ResponseWriter, r *http.Request) { + // no password given for get + handleGetHash(w, r, "") +} + +func getHashWithPasswordFunc(w http.ResponseWriter, r *http.Request) { + // get password from form + _ = r.ParseMultipartForm(0) + gotPassword := r.FormValue("password") + + handleGetHash(w, r, gotPassword) + +} +func handleGetHash(w http.ResponseWriter, r *http.Request, gotPassword string) { // Allow CORS w.Header().Set("Access-Control-Allow-Origin", "*") hash := mux.Vars(r)["hash"] - paste, err := cache.C.Get(hash) + paste, err := cache.C.Get(hash, gotPassword) // if hash was not found if err == cache.PasteNotFound { diff --git a/backend/cache/cache.go b/backend/cache/cache.go index 1a8a7a1..918873e 100644 --- a/backend/cache/cache.go +++ b/backend/cache/cache.go @@ -2,6 +2,7 @@ package cache import ( "errors" + "github.com/jackyzha0/ctrl-v/hashing" "sync" "github.com/jackyzha0/ctrl-v/db" @@ -23,7 +24,7 @@ func init() { } } -func (c *Cache) Get(hash string) (db.Paste, error) { +func (c *Cache) Get(hash, userPassword string) (db.Paste, error) { c.lock.RLock() // check if hash in cache @@ -40,9 +41,12 @@ func (c *Cache) Get(hash string) (db.Paste, error) { return p, PasteNotFound } - // if there is a password + // if there is a password, check the provided one against it if p.Password != "" { - return db.Paste{}, UserUnauthorized + // if passwords do not match, the user is unauthorized + if !hashing.ComparePasswords(p.Password, userPassword) { + return db.Paste{}, UserUnauthorized + } } c.add(p) diff --git a/backend/hashing/hash.go b/backend/hashing/hash.go index 93a9cf9..d8e699a 100644 --- a/backend/hashing/hash.go +++ b/backend/hashing/hash.go @@ -29,4 +29,17 @@ func hashString(text string) string { func HashPassword(password string) (string, error) { hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost) return string(hashedPassword), err +} + +func ComparePasswords(dbPassword, gotPassword string) bool { + dbPassBytes := []byte(dbPassword) + gotPassBytes := []byte(gotPassword) + compErr := bcrypt.CompareHashAndPassword(dbPassBytes, gotPassBytes) + + // if comparison error, the given password is not valid + if compErr != nil { + return false + } else { + return true + } }
\ No newline at end of file |