LumeWeb
/
portal
1
0
Fork 0
Code Issues 5 Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: LumeWeb:f3172b0d31f844b95a0e64b3a5d821f71b0fbe07
Branches Tags
LumeWeb:master
LumeWeb:develop
LumeWeb:v0.1.0-develop.3
LumeWeb:v0.1.0-develop.2
LumeWeb:v0.1.0-develop.1
LumeWeb:v0.0.1
..
compare: LumeWeb:27e7ea7d7a0bbf6c147ff625591acf6376c6c62d
Branches Tags
LumeWeb:develop
LumeWeb:master
LumeWeb:v0.1.0-develop.3
LumeWeb:v0.1.0-develop.2
LumeWeb:v0.1.0-develop.1
LumeWeb:v0.0.1

7 Commits
f3172b0d31 ... 27e7ea7d7a

Author SHA1 Message Date
Derrick Hammer 27e7ea7d7a
fix: PostPubkeyLogin should not preload any model 2023-06-06 22:28:58 -04:00
Derrick Hammer 09d53ffa76
fix: PostPubkeyLogin should be lowercasing the pubkey and signature 2023-06-06 22:28:40 -04:00
Derrick Hammer d680f0660f
fix: PostPubkeyChallenge should be lowercasing the pubkey for consistency 2023-06-06 22:28:17 -04:00
Derrick Hammer 36745bb55b
fix: PostPubkeyChallenge should be using ChallengeRequest 2023-06-06 22:27:34 -04:00
Derrick Hammer db3ba1f014
fix: PostPubkeyChallenge should not be checking email, but pubkey 2023-06-06 22:27:07 -04:00
Derrick Hammer c20dec0204
fix: abort if we don't have a password for the account, assume its pubkey only 2023-06-06 22:05:49 -04:00
Derrick Hammer def1b50cfc
fix: ensure we store the pubkey in lowercase 2023-06-06 22:04:59 -04:00
2 changed files with 21 additions and 7 deletions
Show Stats Expand all files Collapse all files

3
controller/account.go
View File

@ -14,6 +14,7 @@ import (
"golang.org/x/crypto/bcrypt" "golang.org/x/crypto/bcrypt"
"gorm.io/gorm" "gorm.io/gorm"
"reflect" "reflect"
"strings"
) )
type AccountController struct { type AccountController struct {
@ -116,7 +117,7 @@ func (a *AccountController) PostRegister() {
} }
if len(r.Pubkey) > 0 { if len(r.Pubkey) > 0 {
if err := tx.Create(&model.Key{Account: account, Pubkey: r.Pubkey}).Error; err != nil { if err := tx.Create(&model.Key{Account: account, Pubkey: strings.ToLower(r.Pubkey)}).Error; err != nil {
return err return err
} }
} }

25
controller/auth.go
View File

@ -13,6 +13,7 @@ import (
"github.com/kataras/jwt" "github.com/kataras/jwt"
"go.uber.org/zap" "go.uber.org/zap"
"golang.org/x/crypto/bcrypt" "golang.org/x/crypto/bcrypt"
"strings"
"time" "time"
) )
@ -160,6 +161,13 @@ func (a *AuthController) PostLogin() {
return return
} }
if account.Password == nil || len(*account.Password) == 0 {
msg := "only pubkey login is supported"
logger.Get().Debug(msg)
a.Ctx.StopWithError(iris.StatusBadRequest, errors.New(msg))
return
}
// Verify the provided password against the hashed password stored in the database. // Verify the provided password against the hashed password stored in the database.
if err := verifyPassword(*account.Password, r.Password); err != nil { if err := verifyPassword(*account.Password, r.Password); err != nil {
msg := "invalid email or password" msg := "invalid email or password"
@ -185,7 +193,7 @@ func (a *AuthController) PostLogin() {
// PostChallenge handles the POST /api/auth/pubkey/challenge request to generate a challenge for a user's public key. // PostChallenge handles the POST /api/auth/pubkey/challenge request to generate a challenge for a user's public key.
func (a *AuthController) PostPubkeyChallenge() { func (a *AuthController) PostPubkeyChallenge() {
var r LoginRequest var r ChallengeRequest
// Read the login request from the client. // Read the login request from the client.
if err := a.Ctx.ReadJSON(&r); err != nil { if err := a.Ctx.ReadJSON(&r); err != nil {
@ -194,15 +202,17 @@ func (a *AuthController) PostPubkeyChallenge() {
return return
} }
r.Pubkey = strings.ToLower(r.Pubkey)
// Retrieve the account for the given email. // Retrieve the account for the given email.
account := model.Account{} account := model.Key{}
if err := db.Get().Where("email = ?", r.Email).First(&account).Error; err != nil { if err := db.Get().Where("pubkey = ?", r.Pubkey).First(&account).Error; err != nil {
a.Ctx.StopWithError(iris.StatusBadRequest, errors.New("invalid email or password")) a.Ctx.StopWithError(iris.StatusBadRequest, errors.New("invalid pubkey"))
return return
} }
// Generate a random challenge string. // Generate a random challenge string.
challenge, err := generateAndSaveChallengeToken(account.ID, time.Minute) challenge, err := generateAndSaveChallengeToken(account.AccountID, time.Minute)
if err != nil { if err != nil {
a.Ctx.StopWithError(iris.StatusInternalServerError, errors.New("failed to generate challenge")) a.Ctx.StopWithError(iris.StatusInternalServerError, errors.New("failed to generate challenge"))
return return
@ -226,9 +236,12 @@ func (a *AuthController) PostPubkeyLogin() {
return return
} }
r.Pubkey = strings.ToLower(r.Pubkey)
r.Signature = strings.ToLower(r.Signature)
// Retrieve the key challenge for the given challenge. // Retrieve the key challenge for the given challenge.
challenge := model.KeyChallenge{} challenge := model.KeyChallenge{}
if err := db.Get().Where("challenge = ?", r.Challenge).Preload("Key").First(&challenge).Error; err != nil { if err := db.Get().Where("challenge = ?", r.Challenge).First(&challenge).Error; err != nil {
msg := "invalid key challenge" msg := "invalid key challenge"
logger.Get().Debug(msg, zap.Error(err), zap.String("challenge", r.Challenge)) logger.Get().Debug(msg, zap.Error(err), zap.String("challenge", r.Challenge))
a.Ctx.StopWithError(iris.StatusBadRequest, errorx.RejectedOperation.New(msg)) a.Ctx.StopWithError(iris.StatusBadRequest, errorx.RejectedOperation.New(msg))