public_git
/
wireguard-ui
mirror of https://github.com/ngoduykhanh/wireguard-ui.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Use ConstantTimeCompare to make the login more secure and not leak information about the used password (#205)

This commit is contained in:
Marcus Wichelmann 2022-07-14 08:35:58 +02:00 committed by GitHub
parent f43c59c043
commit 97652be545
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
handler/routes.go
View File

@ -1,6 +1,7 @@
package handler package handler
import ( import (
"crypto/subtle"
"encoding/base64" "encoding/base64"
"encoding/json" "encoding/json"
"fmt" "fmt"
@ -49,7 +50,9 @@ func Login(db store.IStore) echo.HandlerFunc {
return c.JSON(http.StatusInternalServerError, jsonHTTPResponse{false, "Cannot query user from DB"}) return c.JSON(http.StatusInternalServerError, jsonHTTPResponse{false, "Cannot query user from DB"})
} }
if user.Username == dbuser.Username && user.Password == dbuser.Password { userCorrect := subtle.ConstantTimeCompare([]byte(user.Username), []byte(dbuser.Username)) == 1
passwordCorrect := subtle.ConstantTimeCompare([]byte(user.Password), []byte(dbuser.Password)) == 1
if userCorrect && passwordCorrect {
// TODO: refresh the token // TODO: refresh the token
sess, _ := session.Get("session", c) sess, _ := session.Get("session", c)
sess.Options = &sessions.Options{ sess.Options = &sessions.Options{
@ -82,7 +85,7 @@ func Login(db store.IStore) echo.HandlerFunc {
func Logout() echo.HandlerFunc { func Logout() echo.HandlerFunc {
return func(c echo.Context) error { return func(c echo.Context) error {
clearSession(c) clearSession(c)
return c.Redirect(http.StatusTemporaryRedirect, util.BasePath + "/login") return c.Redirect(http.StatusTemporaryRedirect, util.BasePath+"/login")
} }
} }