hash passwords in json file

Signed-off-by: Mitaka Jin <jin@mitaka.nl>

handler/routes.go

@@ -9,6 +9,8 @@ import (
 
 	rice "github.com/GeertJohan/go.rice"
 
+	"golang.org/x/crypto/bcrypt"
+
 	"github.com/gorilla/sessions"
 	"github.com/labstack/echo-contrib/session"
 	"github.com/labstack/echo/v4"
@@ -37,7 +39,15 @@ func Login() echo.HandlerFunc {
 			return c.JSON(http.StatusInternalServerError, jsonHTTPResponse{false, "Cannot query user from DB"})
 		}
 
-		if user.Username == dbuser.Username && user.Password == dbuser.Password {
+		// Check if the username matches
+		if user.Username != dbuser.Username {
+			return c.JSON(http.StatusUnauthorized, jsonHTTPResponse(false, "Invalid credentials"))
+		}
+
+		if err := bcrypt.CompareHashAndPassword(dbuser.Password, user.Password); err != nil {
+			return c.JSON(http.StatusUnauthorized, jsonHTTPResponse(false, "Invalid credentials"))
+		}
+
 		// TODO: refresh the token
 		sess, _ := session.Get("session", c)
 		sess.Options = &sessions.Options{
@@ -61,9 +71,6 @@ func Login() echo.HandlerFunc {
 
 		return c.JSON(http.StatusOK, jsonHTTPResponse{true, "Logged in successfully"})
 	}
-
-		return c.JSON(http.StatusUnauthorized, jsonHTTPResponse{false, "Invalid credentials"})
-	}
 }
 
 // Logout to log a user out

util/db.go

@@ -11,6 +11,7 @@ import (
 	"github.com/ngoduykhanh/wireguard-ui/model"
 	"github.com/sdomino/scribble"
 	"github.com/skip2/go-qrcode"
+	"golang.org/x/crypto/bcrypt"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
@@ -113,7 +114,10 @@ func InitDB() error {
 
 		user := new(model.User)
 		user.Username = defaultUsername
-		user.Password = defaultPassword
+		user.Password, err = bcrypt.GenerateFromPassword(defaultPassword, bcrypt.MaxCost)
+		if err != nil {
+			return err
+		}
 		db.Write("server", "users", user)
 	}