jostreff/wireguard-ui
1
0
Fork 0
mirror of https://github.com/ngoduykhanh/wireguard-ui.git synced 2025-07-26 20:00:27 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Use ConstantTimeCompare to make the login more secure and not leak information about the used password

Browse source
This commit is contained in:
Marcus Wichelmann 2022-07-08 18:51:28 +02:00
parent f43c59c043
commit a95721defe
No known key found for this signature in database
GPG key ID: D9FC1B92E557C80D
1 changed files with 5 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

5
handler/routes.go
View file

@ -1,6 +1,7 @@
package handler package handler
import ( import (
"crypto/subtle"
"encoding/base64" "encoding/base64"
"encoding/json" "encoding/json"
"fmt" "fmt"
@ -49,7 +50,9 @@ func Login(db store.IStore) echo.HandlerFunc {
return c.JSON(http.StatusInternalServerError, jsonHTTPResponse{false, "Cannot query user from DB"}) return c.JSON(http.StatusInternalServerError, jsonHTTPResponse{false, "Cannot query user from DB"})
} }
if user.Username == dbuser.Username && user.Password == dbuser.Password { userCorrect := subtle.ConstantTimeCompare([]byte(user.Username), []byte(dbuser.Username)) == 1
passwordCorrect := subtle.ConstantTimeCompare([]byte(user.Password), []byte(dbuser.Password)) == 1
if userCorrect && passwordCorrect {
// TODO: refresh the token // TODO: refresh the token
sess, _ := session.Get("session", c) sess, _ := session.Get("session", c)
sess.Options = &sessions.Options{ sess.Options = &sessions.Options{