admin/wireguard-ui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use ConstantTimeCompare to make the login more secure and not leak information about the used password (#205)

Browse Source
This commit is contained in:
Marcus Wichelmann
2022-07-14 08:35:58 +02:00
committed by GitHub
parent f43c59c043
commit 97652be545
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
handler/routes.go
View File

@@ -1,6 +1,7 @@
package handler package handler
import ( import (
"crypto/subtle"
"encoding/base64" "encoding/base64"
"encoding/json" "encoding/json"
"fmt" "fmt"
@@ -49,7 +50,9 @@ func Login(db store.IStore) echo.HandlerFunc {
return c.JSON(http.StatusInternalServerError, jsonHTTPResponse{false, "Cannot query user from DB"}) return c.JSON(http.StatusInternalServerError, jsonHTTPResponse{false, "Cannot query user from DB"})
} }
if user.Username == dbuser.Username && user.Password == dbuser.Password { userCorrect := subtle.ConstantTimeCompare([]byte(user.Username), []byte(dbuser.Username)) == 1
passwordCorrect := subtle.ConstantTimeCompare([]byte(user.Password), []byte(dbuser.Password)) == 1
if userCorrect && passwordCorrect {
// TODO: refresh the token // TODO: refresh the token
sess, _ := session.Get("session", c) sess, _ := session.Get("session", c)
sess.Options = &sessions.Options{ sess.Options = &sessions.Options{