From d892cad72c1eb4ae20c1b7f1c5b9451650454c28 Mon Sep 17 00:00:00 2001 From: Ryan Mehri Date: Mon, 11 May 2020 20:41:16 -0600 Subject: Add password check on post hash --- backend/api/api.go | 1 + backend/api/routes.go | 15 ++++++++++++++- backend/cache/cache.go | 10 +++++++--- backend/hashing/hash.go | 13 +++++++++++++ 4 files changed, 35 insertions(+), 4 deletions(-) (limited to 'backend') diff --git a/backend/api/api.go b/backend/api/api.go index 59242ef..59fecba 100644 --- a/backend/api/api.go +++ b/backend/api/api.go @@ -32,6 +32,7 @@ func Serve(port int) { r.HandleFunc("/health", healthCheckFunc) r.HandleFunc("/api", insertFunc).Methods("POST", "OPTIONS") r.HandleFunc("/api/{hash}", getHashFunc).Methods("GET", "OPTIONS") + r.HandleFunc("/api/{hash}", getHashWithPasswordFunc).Methods("POST", "OPTIONS") http.Handle("/", r) diff --git a/backend/api/routes.go b/backend/api/routes.go index 7fb2114..6b9ba43 100644 --- a/backend/api/routes.go +++ b/backend/api/routes.go @@ -52,12 +52,25 @@ func insertFunc(w http.ResponseWriter, r *http.Request) { } func getHashFunc(w http.ResponseWriter, r *http.Request) { + // no password given for get + handleGetHash(w, r, "") +} + +func getHashWithPasswordFunc(w http.ResponseWriter, r *http.Request) { + // get password from form + _ = r.ParseMultipartForm(0) + gotPassword := r.FormValue("password") + + handleGetHash(w, r, gotPassword) + +} +func handleGetHash(w http.ResponseWriter, r *http.Request, gotPassword string) { // Allow CORS w.Header().Set("Access-Control-Allow-Origin", "*") hash := mux.Vars(r)["hash"] - paste, err := cache.C.Get(hash) + paste, err := cache.C.Get(hash, gotPassword) // if hash was not found if err == cache.PasteNotFound { diff --git a/backend/cache/cache.go b/backend/cache/cache.go index 1a8a7a1..918873e 100644 --- a/backend/cache/cache.go +++ b/backend/cache/cache.go @@ -2,6 +2,7 @@ package cache import ( "errors" + "github.com/jackyzha0/ctrl-v/hashing" "sync" "github.com/jackyzha0/ctrl-v/db" @@ -23,7 +24,7 @@ func init() { } } -func (c *Cache) Get(hash string) (db.Paste, error) { +func (c *Cache) Get(hash, userPassword string) (db.Paste, error) { c.lock.RLock() // check if hash in cache @@ -40,9 +41,12 @@ func (c *Cache) Get(hash string) (db.Paste, error) { return p, PasteNotFound } - // if there is a password + // if there is a password, check the provided one against it if p.Password != "" { - return db.Paste{}, UserUnauthorized + // if passwords do not match, the user is unauthorized + if !hashing.ComparePasswords(p.Password, userPassword) { + return db.Paste{}, UserUnauthorized + } } c.add(p) diff --git a/backend/hashing/hash.go b/backend/hashing/hash.go index 93a9cf9..d8e699a 100644 --- a/backend/hashing/hash.go +++ b/backend/hashing/hash.go @@ -29,4 +29,17 @@ func hashString(text string) string { func HashPassword(password string) (string, error) { hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost) return string(hashedPassword), err +} + +func ComparePasswords(dbPassword, gotPassword string) bool { + dbPassBytes := []byte(dbPassword) + gotPassBytes := []byte(gotPassword) + compErr := bcrypt.CompareHashAndPassword(dbPassBytes, gotPassBytes) + + // if comparison error, the given password is not valid + if compErr != nil { + return false + } else { + return true + } } \ No newline at end of file -- cgit v1.2.3