deblan/wireguard-ui
deblan/wireguard-ui
1
0
Fork 0
mirror of https://github.com/ngoduykhanh/wireguard-ui synced 2024-05-05 23:43:09 +02:00
Code Issues Projects Releases Wiki Activity

Use ConstantTimeCompare to make the login more secure and not leak information about the used password (#205)

Browse source
This commit is contained in:
Marcus Wichelmann 2022-07-14 08:35:58 +02:00 committed by GitHub
parent f43c59c043
commit 97652be545
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
handler/routes.go
View file

@ -1,6 +1,7 @@
package handler
import (
"crypto/subtle"
"encoding/base64"
"encoding/json"
"fmt"
@ -49,7 +50,9 @@ func Login(db store.IStore) echo.HandlerFunc {
return c.JSON(http.StatusInternalServerError, jsonHTTPResponse{false, "Cannot query user from DB"})
}
if user.Username == dbuser.Username && user.Password == dbuser.Password {
userCorrect := subtle.ConstantTimeCompare([]byte(user.Username), []byte(dbuser.Username)) == 1
passwordCorrect := subtle.ConstantTimeCompare([]byte(user.Password), []byte(dbuser.Password)) == 1
if userCorrect && passwordCorrect {
// TODO: refresh the token
sess, _ := session.Get("session", c)
sess.Options = &sessions.Options{
@ -82,7 +85,7 @@ func Login(db store.IStore) echo.HandlerFunc {
func Logout() echo.HandlerFunc {
return func(c echo.Context) error {
clearSession(c)
return c.Redirect(http.StatusTemporaryRedirect, util.BasePath + "/login")
return c.Redirect(http.StatusTemporaryRedirect, util.BasePath+"/login")
}
}