1
0
Fork 0
mirror of https://github.com/Luzifer/cloudkeys-go.git synced 2024-11-12 16:02:44 +00:00
cloudkeys-go/register.go
Knut Ahlers d64fee60c8
Replace insecure password hashing
Prior this commit passwords were hashed with a static salt and using the
SHA1 hashing function. This could lead to passwords being attackable in
case someone gets access to the raw data stored inside the database.
This commit introduces password hashing using bcrypt hashing function
which addresses this issue.

Old passwords are not automatically re-hashed as they are unknown.
Replacing the old password scheme is not that easy and needs #10 to be
solved. Therefore the old hashing scheme is kept for compatibility
reason.

Signed-off-by: Knut Ahlers <knut@ahlers.me>
2017-12-24 11:55:52 +01:00

49 lines
1.3 KiB
Go

package main
import (
"fmt"
"net/http"
"strings"
"golang.org/x/crypto/bcrypt"
"github.com/flosch/pongo2"
"github.com/gorilla/sessions"
)
func registerHandler(res http.ResponseWriter, r *http.Request, session *sessions.Session, ctx *pongo2.Context) (*string, error) {
var (
username = strings.ToLower(r.FormValue("username"))
password = r.FormValue("password")
passwordCheck = r.FormValue("password_repeat")
)
if username == "" || password == "" || password != passwordCheck {
return stringPointer("register.html"), nil
}
if storage.IsPresent(createUserFilename(username)) {
(*ctx)["exists"] = true
return stringPointer("register.html"), nil
}
hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
if err != nil {
fmt.Printf("ERR: Unable to hash users password: %s\n", err)
(*ctx)["error"] = true
return stringPointer("register.html"), nil
}
d := dataObject{}
d.MetaData.Password = string(hashedPassword)
data, _ := d.GetData()
if err := storage.Write(createUserFilename(username), data); err != nil {
fmt.Printf("ERR: Unable to write user file: %s\n", err)
(*ctx)["error"] = true
return stringPointer("register.html"), nil
}
(*ctx)["created"] = true
return stringPointer("register.html"), nil
}