Hash stored admin codes
This commit is contained in:
@ -9,6 +9,7 @@ import (
|
||||
|
||||
"crawshaw.io/sqlite"
|
||||
"crawshaw.io/sqlite/sqlitex"
|
||||
"github.com/matthewhartstonge/argon2"
|
||||
"github.com/rickb777/date"
|
||||
)
|
||||
|
||||
@ -23,6 +24,21 @@ func (u UnauthorizedError) Error() string {
|
||||
return fmt.Sprintf("unauthorized: EventID = %s, AdminCode = %s", u.EventID, u.AdminCode)
|
||||
}
|
||||
|
||||
func hash(password string) (string, error) {
|
||||
hashed, err := (&argon2.Config{
|
||||
HashLength: 32,
|
||||
// We don't need a salt because our random passwords are not
|
||||
// susceptible to dictionary attacks.
|
||||
SaltLength: 0,
|
||||
TimeCost: 3,
|
||||
MemoryCost: 64 * 1024,
|
||||
Parallelism: 4,
|
||||
Mode: argon2.ModeArgon2id,
|
||||
Version: argon2.Version13,
|
||||
}).HashEncoded([]byte(password))
|
||||
return string(hashed), err
|
||||
}
|
||||
|
||||
type GenString func(length int) (string, error)
|
||||
|
||||
type Store struct {
|
||||
@ -82,7 +98,7 @@ func (s *Store) Close() error {
|
||||
const schema = `
|
||||
CREATE TABLE event (
|
||||
id TEXT NOT NULL PRIMARY KEY,
|
||||
admin_code TEXT NOT NULL,
|
||||
admin_code_hash TEXT NOT NULL,
|
||||
name TEXT NOT NULL,
|
||||
description TEXT NOT NULL,
|
||||
earliest_date DATE NOT NULL,
|
||||
@ -157,12 +173,17 @@ func (s *Store) CreateEvent(ctx context.Context, cmd CreateEventCommand) (result
|
||||
return
|
||||
}
|
||||
|
||||
adminCodeHash, err := hash(adminCode)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
const query = `
|
||||
INSERT INTO event(id, admin_code, name, description, earliest_date, latest_date)
|
||||
INSERT INTO event(id, admin_code_hash, name, description, earliest_date, latest_date)
|
||||
VALUES (?, ?, ?, ?, ?, ?);`
|
||||
err = sqlitex.Exec(conn, query, nil,
|
||||
id,
|
||||
adminCode,
|
||||
adminCodeHash,
|
||||
cmd.Name,
|
||||
cmd.Description,
|
||||
cmd.Earliest.Format(dbDateLayout),
|
||||
@ -186,16 +207,21 @@ func (s *Store) AuthorizeEventAdmin(ctx context.Context, query CheckEventAdminCo
|
||||
conn := s.pool.Get(ctx)
|
||||
defer s.pool.Put(conn)
|
||||
|
||||
adminCodeHash, err := hash(query.AdminCode)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
const dbQuery = `
|
||||
SELECT 1
|
||||
FROM event
|
||||
WHERE id = ? AND admin_code = ?;`
|
||||
WHERE id = ? AND admin_code_hash = ?;`
|
||||
var doesMatch bool
|
||||
err := sqlitex.Exec(conn, dbQuery,
|
||||
err = sqlitex.Exec(conn, dbQuery,
|
||||
func(stmt *sqlite.Stmt) error {
|
||||
doesMatch = true
|
||||
return nil
|
||||
}, query.EventID, query.AdminCode)
|
||||
}, query.EventID, adminCodeHash)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user