Exemple #1
0
func UserAuth(username string, password string) (int, string, bool) {
	row := MyDB.connection.QueryRow(`select id, passwordhash, passwordsalt, isdisabled
                                     from users where username=$1`,
		username)

	var userID int
	var passwordHash string
	var passwordSalt string
	var isDisabled bool

	err := row.Scan(&userID, &passwordHash, &passwordSalt, &isDisabled)
	if err != nil {
		log.Info("Unknown login or password for %s", username)
		return -1, "", false
	}

	if isDisabled {
		log.Info("Username %s is disabled", username)
		return -1, "", false
	}

	calculatedPasswordHash := utils.SHA1(passwordSalt + password)
	log.Debug("calculated hash %s", calculatedPasswordHash)

	if calculatedPasswordHash != passwordHash {
		log.Info("Invalid password")
		return -1, "", false
	}

	return userID, passwordSalt, true
}
Exemple #2
0
func UserAuthPasswordChangeHandler(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Content-Type", "application/json")
	username, password, ok := r.BasicAuth()
	if !ok {
		w.WriteHeader(http.StatusUnauthorized)
		return
	}

	userID, salt, ok := UserAuth(username, password)
	if !ok {
		w.WriteHeader(http.StatusUnauthorized)
		return
	}

	err := r.ParseForm()
	if err != nil {
		w.WriteHeader(http.StatusBadRequest)
		panic(err)
	}

	decoder := schema.NewDecoder()
	passwordchange_form := new(PasswordChangeForm)
	err = decoder.Decode(passwordchange_form, r.PostForm)

	if err != nil || passwordchange_form.New_password == "" {
		w.WriteHeader(http.StatusBadRequest)
		return
	}

	newpassword := passwordchange_form.New_password

	if newpassword == password {
		errmsg := ErrorMsg{Msg: "The new password cannot be the same as the current one"}
		str, _ := json.Marshal(errmsg)
		w.Write(str)
		return
	}

	newpasswordhash := utils.SHA1(salt + newpassword)

	// update password
	_, err = MyDB.connection.Exec("UPDATE users SET passwordhash=$1 where id=$2",
		newpasswordhash, userID)
	if err != nil {
		panic(err)
	}

	// expire all sessions
	_, err = MyDB.connection.Exec("DELETE FROM usersessions WHERE user_id=$1",
		userID)
	if err != nil {
		panic(err)
	}
}
Exemple #3
0
func UserAuthSignupHandler(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Content-Type", "application/json")

	err := r.ParseForm()
	if err != nil {
		w.WriteHeader(http.StatusBadRequest)
		panic(err)
	}

	decoder := schema.NewDecoder()
	signupForm := new(SignupForm)
	err = decoder.Decode(signupForm, r.PostForm)

	if err != nil || !signupForm.validate() {
		w.WriteHeader(http.StatusBadRequest)
		return
	}

	// check if user exists
	var id int
	err = MyDB.connection.QueryRow("SELECT 1 FROM users WHERE username = $1",
		signupForm.Username).Scan(&id)

	if err == nil {
		log.Info("User %s already exists", signupForm.Username)
		w.WriteHeader(http.StatusBadRequest)
		return
	}

	passwordhash := utils.SHA1(AuthSalt + signupForm.Password)
	_, err = MyDB.connection.Exec(`INSERT INTO
                                    users(username, passwordhash, passwordsalt)
                                    VALUES($1,$2,$3)`,
		signupForm.Username, passwordhash, AuthSalt)
	if err != nil {
		panic(err)
	}
	log.Info("Created user %s", signupForm.Username)
}