func UserAuth(username string, password string) (int, string, bool) {
row := MyDB.connection.QueryRow(`select id, passwordhash, passwordsalt, isdisabled
from users where username=$1`,
username)
var userID int
var passwordHash string
var passwordSalt string
var isDisabled bool
err := row.Scan(&userID, &passwordHash, &passwordSalt, &isDisabled)
if err != nil {
log.Info("Unknown login or password for %s", username)
return -1, "", false
}
if isDisabled {
log.Info("Username %s is disabled", username)
return -1, "", false
}
calculatedPasswordHash := utils.SHA1(passwordSalt + password)
log.Debug("calculated hash %s", calculatedPasswordHash)
if calculatedPasswordHash != passwordHash {
log.Info("Invalid password")
return -1, "", false
}
return userID, passwordSalt, true
}
func UserAuthPasswordChangeHandler(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
username, password, ok := r.BasicAuth()
if !ok {
w.WriteHeader(http.StatusUnauthorized)
return
}
userID, salt, ok := UserAuth(username, password)
if !ok {
w.WriteHeader(http.StatusUnauthorized)
return
}
err := r.ParseForm()
if err != nil {
w.WriteHeader(http.StatusBadRequest)
panic(err)
}
decoder := schema.NewDecoder()
passwordchange_form := new(PasswordChangeForm)
err = decoder.Decode(passwordchange_form, r.PostForm)
if err != nil || passwordchange_form.New_password == "" {
w.WriteHeader(http.StatusBadRequest)
return
}
newpassword := passwordchange_form.New_password
if newpassword == password {
errmsg := ErrorMsg{Msg: "The new password cannot be the same as the current one"}
str, _ := json.Marshal(errmsg)
w.Write(str)
return
}
newpasswordhash := utils.SHA1(salt + newpassword)
// update password
_, err = MyDB.connection.Exec("UPDATE users SET passwordhash=$1 where id=$2",
newpasswordhash, userID)
if err != nil {
panic(err)
}
// expire all sessions
_, err = MyDB.connection.Exec("DELETE FROM usersessions WHERE user_id=$1",
userID)
if err != nil {
panic(err)
}
}
func UserAuthSignupHandler(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
err := r.ParseForm()
if err != nil {
w.WriteHeader(http.StatusBadRequest)
panic(err)
}
decoder := schema.NewDecoder()
signupForm := new(SignupForm)
err = decoder.Decode(signupForm, r.PostForm)
if err != nil || !signupForm.validate() {
w.WriteHeader(http.StatusBadRequest)
return
}
// check if user exists
var id int
err = MyDB.connection.QueryRow("SELECT 1 FROM users WHERE username = $1",
signupForm.Username).Scan(&id)
if err == nil {
log.Info("User %s already exists", signupForm.Username)
w.WriteHeader(http.StatusBadRequest)
return
}
passwordhash := utils.SHA1(AuthSalt + signupForm.Password)
_, err = MyDB.connection.Exec(`INSERT INTO
users(username, passwordhash, passwordsalt)
VALUES($1,$2,$3)`,
signupForm.Username, passwordhash, AuthSalt)
if err != nil {
panic(err)
}
log.Info("Created user %s", signupForm.Username)
}