Add support for password hashes as an optional alternative to plaintext passwords (#216)

util/config.go

@@ -34,6 +34,7 @@ const (
 	DefaultConfigFilePath                  = "/etc/wireguard/wg0.conf"
 	UsernameEnvVar                         = "WGUI_USERNAME"
 	PasswordEnvVar                         = "WGUI_PASSWORD"
+	PasswordHashEnvVar                     = "WGUI_PASSWORD_HASH"
 	EndpointAddressEnvVar                  = "WGUI_ENDPOINT_ADDRESS"
 	DNSEnvVar                              = "WGUI_DNS"
 	MTUEnvVar                              = "WGUI_MTU"

util/hash.go

@@ -0,0 +1,30 @@
+package util
+
+import (
+	"encoding/base64"
+	"fmt"
+	"golang.org/x/crypto/bcrypt"
+)
+
+func HashPassword(plaintext string) (string, error) {
+	bytes, err := bcrypt.GenerateFromPassword([]byte(plaintext), 14)
+	if err != nil {
+		return "", fmt.Errorf("cannot hash password: %w", err)
+	}
+	return base64.StdEncoding.EncodeToString(bytes), nil
+}
+
+func VerifyHash(base64Hash string, plaintext string) (bool, error) {
+	hash, err := base64.StdEncoding.DecodeString(base64Hash)
+	if err != nil {
+		return false, fmt.Errorf("cannot decode base64 hash: %w", err)
+	}
+	err = bcrypt.CompareHashAndPassword(hash, []byte(plaintext))
+	if err == bcrypt.ErrMismatchedHashAndPassword {
+		return false, nil
+	}
+	if err != nil {
+		return false, fmt.Errorf("cannot verify password: %w", err)
+	}
+	return true, nil
+}