jbell730
/
signet-backend
1
0
Fork 0
Koodi Ongelmat 0 Pull-pyynnöt 0 Julkaisut 0 Wiki Toiminta
The backend for the project formerly known as signet, now known as beignet.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11 Commitit
1 Haara
182 KiB
 
Puu: 484e25aa68
Branchit Tagit
${ item.name }
Create branch ${ searchTerm }
from '484e25aa68'
${ noResults }
signet-backend/endpoints/register.go

174 rivejä
4.2 KiB
Raaka Blame Historia 

  1. package endpoints

  2. 

  3. import (

  4. 	"crypto/rand"

  5. 	"crypto/subtle"

  6. 	"encoding/base64"

  7. 	"encoding/json"

  8. 	"errors"

  9. 	"fmt"

  10. 	"net/http"

  11. 	"strings"

  12. 

  13. 	"github.com/imosed/signet/auth"

  14. 	. "github.com/imosed/signet/data"

  15. 	"github.com/rs/zerolog/log"

  16. 	"github.com/spf13/viper"

  17. 	"golang.org/x/crypto/argon2"

  18. )

  19. 

  20. const (

  21. 	SuperUser uint = iota

  22. 	AdminPlus

  23. 	Admin

  24. )

  25. 

  26. type Params struct {

  27. 	Iterations  uint32

  28. 	Memory      uint32

  29. 	Parallelism uint8

  30. 	SaltLength  uint32

  31. 	KeyLength   uint32

  32. }

  33. 

  34. func GenerateRandomBytes(n uint32) ([]byte, error) {

  35. 	var b = make([]byte, n)

  36. 	_, err := rand.Read(b)

  37. 	if err != nil {

  38. 		return nil, err

  39. 	}

  40. 

  41. 	return b, nil

  42. }

  43. 

  44. func GenerateHash(password string, p *Params) (encodedHash string, err error) {

  45. 	salt, err := GenerateRandomBytes(p.SaltLength)

  46. 	if err != nil {

  47. 		return "", err

  48. 	}

  49. 

  50. 	var hash = argon2.IDKey([]byte(password), salt, p.Iterations, p.Memory, p.Parallelism, p.KeyLength)

  51. 	var bSalt = base64.RawStdEncoding.EncodeToString(salt)

  52. 	var bHash = base64.RawStdEncoding.EncodeToString(hash)

  53. 

  54. 	encodedHash = fmt.Sprintf("$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s", argon2.Version, p.Memory, p.Iterations, p.Parallelism, bSalt, bHash)

  55. 

  56. 	return encodedHash, nil

  57. }

  58. 

  59. func ComparePasswordAndHash(password, encodedHash string) (match bool, err error) {

  60. 	p, salt, hash, err := DecodeHash(encodedHash)

  61. 	if err != nil {

  62. 		return false, err

  63. 	}

  64. 

  65. 	var otherHash = argon2.IDKey([]byte(password), salt, p.Iterations, p.Memory, p.Parallelism, p.KeyLength)

  66. 

  67. 	if subtle.ConstantTimeCompare(hash, otherHash) == 1 {

  68. 		return true, nil

  69. 	}

  70. 	return false, nil

  71. }

  72. 

  73. func DecodeHash(encodedHash string) (p *Params, salt, hash []byte, err error) {

  74. 	var details = strings.Split(encodedHash, "$")

  75. 	if len(details) != 6 {

  76. 		return nil, nil, nil, errors.New("the encoded hash is not in the correct format")

  77. 	}

  78. 

  79. 	var version int

  80. 	_, err = fmt.Sscanf(details[2], "v=%d", &version)

  81. 	if err != nil {

  82. 		return nil, nil, nil, err

  83. 	}

  84. 	if version != argon2.Version {

  85. 		return nil, nil, nil, errors.New("the version of argon2 does not match the hash string")

  86. 	}

  87. 

  88. 	p = &Params{}

  89. 	_, err = fmt.Sscanf(details[3], "m=%d,t=%d,p=%d", &p.Memory, &p.Iterations, &p.Parallelism)

  90. 	if err != nil {

  91. 		return nil, nil, nil, err

  92. 	}

  93. 

  94. 	salt, err = base64.RawStdEncoding.DecodeString(details[4])

  95. 	if err != nil {

  96. 		return nil, nil, nil, err

  97. 	}

  98. 	p.SaltLength = uint32(len(salt))

  99. 

  100. 	hash, err = base64.RawStdEncoding.DecodeString(details[5])

  101. 	if err != nil {

  102. 		return nil, nil, nil, err

  103. 	}

  104. 	p.KeyLength = uint32(len(hash))

  105. 

  106. 	return p, salt, hash, nil

  107. }

  108. 

  109. type AuthenticationRequest struct {

  110. 	Username string `json:"username"`

  111. 	Password string `json:"password"`

  112. }

  113. 

  114. func noUsersRegistered() bool {

  115. 	results := Db.Find(&User{})

  116. 	return results.RowsAffected == 0

  117. }

  118. 

  119. func determinePrivileges() uint {

  120. 	if noUsersRegistered() {

  121. 		return SuperUser

  122. 	} else {

  123. 		return Admin

  124. 	}

  125. }

  126. 

  127. func Register(w http.ResponseWriter, r *http.Request) {

  128. 	var req AuthenticationRequest

  129. 	err := json.NewDecoder(r.Body).Decode(&req)

  130. 	if err != nil {

  131. 		log.Error().Err(err).Msg("Could not decode body in Register call")

  132. 		return

  133. 	}

  134. 

  135. 	var claims *auth.Claims

  136. 	claims, err = auth.GetUserClaims(r)

  137. 	if err != nil {

  138. 		log.Error().Err(err).Msg("Could not determine if user is authenticated")

  139. 		return

  140. 	}

  141. 

  142. 	if noUsersRegistered() || claims.Privileges <= AdminPlus {

  143. 		hash, err := GenerateHash(req.Password, &Params{

  144. 			Memory:      uint32(viper.GetInt("hashing.memory")),

  145. 			Iterations:  uint32(viper.GetInt("hashing.iterations")),

  146. 			Parallelism: uint8(viper.GetInt("hashing.parallelism")),

  147. 			SaltLength:  uint32(viper.GetInt("hashing.saltLength")),

  148. 			KeyLength:   uint32(viper.GetInt("hashing.keyLength")),

  149. 		})

  150. 		if err != nil {

  151. 			log.Error().Err(err).Msg("Could not generate hash for registration")

  152. 			return

  153. 		}

  154. 

  155. 		Db.Create(&User{

  156. 			Username:   req.Username,

  157. 			Password:   hash,

  158. 			Privileges: determinePrivileges(),

  159. 		})

  160. 

  161. 		err = json.NewEncoder(w).Encode(SuccessResponse{Success: true})

  162. 		if err != nil {

  163. 			log.Error().Err(err).Msg("Could not deliver successful account creation response")

  164. 		}

  165. 	} else if !noUsersRegistered() {

  166. 		err = json.NewEncoder(w).Encode(SuccessResponse{Success: false})

  167. 		if err != nil {

  168. 			log.Error().Err(err).Msg("Could not deliver unsuccessful account creation response")

  169. 		}

  170. 	} else if claims.Privileges > SuperUser {

  171. 		w.WriteHeader(403)

  172. 	}

  173. }