func (p pwdRestful) restVerifyPassword(request *restful.Request, response *restful.Response) {
var secret secretData
err := request.ReadEntity(&secret)
tPwd, _ := salt.GenerateSaltedPassword([]byte(secret.Password), password.MinPasswordLength, password.MaxPasswordLength, p.saltStr, -1)
pass := password.GetHashedPwd(tPwd)
if err != nil {
p.setError(response, http.StatusBadRequest, err)
return
}
data := p.getPwdData(request, response)
if data == nil {
return
}
err = data.IsPasswordMatch(pass)
ok := true
if err != nil {
ok = false
}
res := cr.Match{Match: ok, Message: cr.NoMessageStr}
if ok == false && err != nil {
res.Message = fmt.Sprintf("%v", err)
}
response.WriteEntity(res)
response.WriteHeader(http.StatusOK)
}
func (p pwdRestful) restUpdatePassword(request *restful.Request, response *restful.Response) {
var secrets cr.UpdateSecret
name := request.PathParameter(userIdParam)
err := request.ReadEntity(&secrets)
if err != nil {
p.setError(response, http.StatusBadRequest, err)
return
}
data := p.getPwdData(request, response)
if data == nil {
return
}
tPwd, _ := salt.GenerateSaltedPassword([]byte(secrets.OldPassword), password.MinPasswordLength, password.MaxPasswordLength, p.saltStr, -1)
pass := password.GetHashedPwd(tPwd)
if err != nil {
p.setError(response, http.StatusBadRequest, err)
return
}
_, err = data.UpdatePassword(pass, []byte(secrets.NewPassword))
if err != nil {
p.setError(response, http.StatusBadRequest, err)
return
}
response.WriteHeader(http.StatusCreated)
response.WriteEntity(p.getUrlPath(request, name))
}
// Check if a given password matches the curent password
// Note that the passwords are stored after hashing and not as clear text
// If the passwords don't match, a 1 second delay will be used before the
// next attempt, in order to prevent brute force entry attempts
func (u AmUserInfo) IsPasswordMatch(pwd []byte) error {
saltedPwd, _ := salt.GenerateSaltedPassword([]byte(pwd), password.MinPasswordLength, password.MaxPasswordLength, u.Pwd.Salt, -1)
tPwd := password.GetHashedPwd(saltedPwd)
err := u.Pwd.IsPasswordMatch(tPwd)
// on error throttle for 1 second, reset the error counter
if err != nil {
time.Sleep(1 * time.Second)
u.Pwd.ErrorsCounter = 0 // the throttling is enougth
return err
}
return nil
}
// Example of how to use the reset password function:
// This function resets the current password,
// selects a new password with short expiration time
// and lets the user use it exactly once
func ExampleUserPwd_ResetPasword() {
id := "User1"
pwd := []byte("a1b2c3d")
saltStr, _ := salt.GetRandomSalt(10)
userPwd, _ := password.NewUserPwd(pwd, saltStr)
tmpPwd, _ := userPwd.ResetPasword()
tPwd, _ := salt.GenerateSaltedPassword(tmpPwd, 1, 100, saltStr, -1)
newPwd := password.GetHashedPwd(tPwd)
err := userPwd.IsPasswordMatch(newPwd)
if err != nil {
fmt.Printf("Check of newly generated password: '******' for user: %v failed, error: %v\n", newPwd, id, err)
} else {
fmt.Printf("Entity %v, after reseting password '%v' verified successfuly\n", id, newPwd)
}
err = userPwd.IsPasswordMatch(newPwd)
if err == nil {
fmt.Printf("Error: Newly generated password: '******' could be used only once\n", newPwd)
} else {
fmt.Printf("Newly generated password: '******', for entity: %v, can only be used once\n", newPwd, id)
}
}
// Example of how to use the password.
// 1. Create a new password.
// 2. Verify that the initial password is set correctly
// 3. Change the user's password
// 4. Verify that the old password is not valid anymore
// 5. Verify that the new password is valid
// 6. Verify that the old password can't be used any more
// (at least not as long as it remains in the old passwords list)
func ExampleUserPwd() {
id := "User-1"
pwd := []byte("a1b2c3d")
saltStr, _ := salt.GetRandomSalt(8)
userPwd, _ := password.NewUserPwd(pwd, saltStr)
tPwd, _ := salt.GenerateSaltedPassword(pwd, minPasswordLength, maxPasswordLength, saltStr, -1)
newPwd := password.GetHashedPwd(tPwd)
err := userPwd.IsPasswordMatch(newPwd)
if err != nil {
fmt.Println("Ravid: error", err)
}
userNewPwd := []byte(string(pwd) + "a")
newPwd, err = userPwd.UpdatePassword(userPwd.Password, userNewPwd)
if err != nil {
fmt.Printf("Password update for user %v to new password '%v' (%v) failed, error: %v\n", id, newPwd, string(userNewPwd), err)
} else {
fmt.Printf("User: '******', updated password to '%v' (%v)\n", id, newPwd, string(userNewPwd))
}
err = userPwd.IsPasswordMatch(newPwd)
if err != nil {
fmt.Printf("Check of the new password: '******' (%v) for user: %v failed, error: %v\n", newPwd, string(userNewPwd), id, err)
} else {
fmt.Printf("User: '******', new password '%v' (%v) verified successfuly\n", id, newPwd, string(userNewPwd))
}
err = userPwd.IsPasswordMatch(pwd)
if err == nil {
fmt.Printf("Error: Old password: '******' (%v) for user: %v accepted\n", pwd, string(pwd), id)
} else {
fmt.Printf("User: '******', Note that the old password '%v' (%v) can't be used anymore\n", id, pwd, string(pwd))
}
newPwd, err = userPwd.UpdatePassword(userPwd.Password, pwd)
if err == nil {
fmt.Printf("Error: Password '%v' (typed password %v) for user %v was alredy used\n", newPwd, string(pwd), id)
} else {
fmt.Printf("Entity: '%v', Note that the old password (entered password) %v as it was already used\n", id, string(pwd))
}
}
func (l amRestful) restUpdatePwd(request *restful.Request, response *restful.Response) {
var secrets cr.UpdateSecret
err := request.ReadEntity(&secrets)
if err != nil {
l.setError(response, http.StatusBadRequest, err)
return
}
userName := request.PathParameter(userIdParam)
data := l.getAM(request, response, userName)
if data == nil {
return
}
tPwd, err := salt.GenerateSaltedPassword([]byte(secrets.OldPassword), password.MinPasswordLength, password.MaxPasswordLength, data.Pwd.Salt, -1)
oldPwd := password.GetHashedPwd(tPwd)
err = data.UpdateUserPwd(userName, oldPwd, []byte(secrets.NewPassword))
if err != nil {
l.setError(response, http.StatusBadRequest, err)
return
}
response.WriteHeader(http.StatusCreated)
response.WriteEntity(l.getUrlPath(request, userName))
}
