public_git
/
wireguard-ui
mirror of https://github.com/ngoduykhanh/wireguard-ui.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Use ConstantTimeCompare to make the login more secure and not leak information about the used password

This commit is contained in:
Marcus Wichelmann 2022-07-08 18:51:28 +02:00
parent f43c59c043
commit a95721defe
No known key found for this signature in database
GPG Key ID: D9FC1B92E557C80D
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
handler/routes.go
View File

@ -1,6 +1,7 @@
package handler
import (
"crypto/subtle"
"encoding/base64"
"encoding/json"
"fmt"
@ -49,7 +50,9 @@ func Login(db store.IStore) echo.HandlerFunc {
return c.JSON(http.StatusInternalServerError, jsonHTTPResponse{false, "Cannot query user from DB"})
}
if user.Username == dbuser.Username && user.Password == dbuser.Password {
userCorrect := subtle.ConstantTimeCompare([]byte(user.Username), []byte(dbuser.Username)) == 1
passwordCorrect := subtle.ConstantTimeCompare([]byte(user.Password), []byte(dbuser.Password)) == 1
if userCorrect && passwordCorrect {
// TODO: refresh the token
sess, _ := session.Get("session", c)
sess.Options = &sessions.Options{
@ -82,7 +85,7 @@ func Login(db store.IStore) echo.HandlerFunc {
func Logout() echo.HandlerFunc {
return func(c echo.Context) error {
clearSession(c)
return c.Redirect(http.StatusTemporaryRedirect, util.BasePath + "/login")
return c.Redirect(http.StatusTemporaryRedirect, util.BasePath+"/login")
}
}