mirror of
https://github.com/adanrsantos/ThePlaceHolders.git
synced 2024-12-16 12:20:37 -06:00
Fixed bug where login doesn't compare passwords correctly
This commit is contained in:
parent
b86f74a888
commit
c160c57da5
10
server.go
10
server.go
|
|
@ -12,7 +12,9 @@ const ADDRESS = "127.0.0.1"
|
|||
const PORT = "8080"
|
||||
|
||||
type Server struct {
|
||||
Users map[string]UserData
|
||||
// Registered user information
|
||||
Users map[string]UserData
|
||||
// Login sessions
|
||||
Sessions *sessions.CookieStore
|
||||
}
|
||||
|
||||
|
|
@ -38,10 +40,10 @@ func main() {
|
|||
})
|
||||
// Start web server at 127.0.0.1:8080
|
||||
fmt.Printf("Listening to %s on port %s...\n", ADDRESS, PORT)
|
||||
e := http.ListenAndServe(ADDRESS+":"+PORT, nil)
|
||||
err := http.ListenAndServe(ADDRESS+":"+PORT, nil)
|
||||
// Print any errors
|
||||
if e != nil {
|
||||
if err != nil {
|
||||
fmt.Println("Error starting server:")
|
||||
log.Fatal(e)
|
||||
log.Fatal(err)
|
||||
}
|
||||
}
|
||||
|
|
|
|||
36
users.go
36
users.go
|
|
@ -1,6 +1,7 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
"regexp"
|
||||
"strings"
|
||||
|
|
@ -11,6 +12,7 @@ import (
|
|||
|
||||
const SESSION_COOKIE_NAME = "utsa-place-session"
|
||||
const SESSION_AUTH = "auth"
|
||||
const SESSION_STARTED = "age"
|
||||
|
||||
const ENCRYPTION_STRENGTH = 14
|
||||
|
||||
|
|
@ -28,16 +30,23 @@ func validate_email(email string) (string, bool) {
|
|||
return email, ok
|
||||
}
|
||||
|
||||
// Encrypts a password
|
||||
func hash_password(password string) string {
|
||||
bytes, _ := bcrypt.GenerateFromPassword([]byte(password), ENCRYPTION_STRENGTH)
|
||||
return string(bytes)
|
||||
}
|
||||
|
||||
// Compares an unencrpyted password to an encrypted password
|
||||
func check_password_hash(password string, hash string) bool {
|
||||
err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
|
||||
return err == nil
|
||||
}
|
||||
|
||||
// Handles requests to /login.html
|
||||
func (s *Server) handle_login(w http.ResponseWriter, r *http.Request) {
|
||||
switch r.Method {
|
||||
case http.MethodGet:
|
||||
http.ServeFile(w, r, "./static/register.html")
|
||||
http.ServeFile(w, r, "./static/login.html")
|
||||
case http.MethodPost:
|
||||
// Get data from form
|
||||
email := r.FormValue("email")
|
||||
|
|
@ -46,12 +55,12 @@ func (s *Server) handle_login(w http.ResponseWriter, r *http.Request) {
|
|||
user, ok := s.Users[email]
|
||||
// If user does not exist
|
||||
if !ok {
|
||||
http.Error(w, "Forbidden", http.StatusForbidden)
|
||||
http.Error(w, "User not found", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
// If password does not match
|
||||
if password != user.Password {
|
||||
http.Error(w, "Forbidden", http.StatusForbidden)
|
||||
if !check_password_hash(password, user.Password) {
|
||||
http.Error(w, "Passwords dont match", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
// Generate session
|
||||
|
|
@ -61,12 +70,15 @@ func (s *Server) handle_login(w http.ResponseWriter, r *http.Request) {
|
|||
http.Error(w, "Invalid session", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
now := time.Now()
|
||||
session.Values[SESSION_AUTH] = true
|
||||
session.Values[SESSION_STARTED] = now
|
||||
session.Save(r, w)
|
||||
// Update last-login on DB
|
||||
user.LastLogin = time.Now()
|
||||
user.LastLogin = now
|
||||
s.Users[email] = user
|
||||
// Redirect to index.html
|
||||
fmt.Println("Logged in user: ", email)
|
||||
http.Redirect(w, r, "/", http.StatusFound)
|
||||
default:
|
||||
http.Error(w, "Forbidden", http.StatusForbidden)
|
||||
|
|
@ -86,7 +98,7 @@ func (s *Server) handle_register(w http.ResponseWriter, r *http.Request) {
|
|||
return
|
||||
}
|
||||
password := r.FormValue("password")
|
||||
if len(password) < 5 || len(password) >= 70 {
|
||||
if len(password) < 8 || len(password) >= 70 {
|
||||
http.Error(w, "Invalid password length", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
|
@ -103,18 +115,21 @@ func (s *Server) handle_register(w http.ResponseWriter, r *http.Request) {
|
|||
http.Error(w, "Invalid session", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
now := time.Now()
|
||||
// Save user information to DB
|
||||
s.Users[email] = UserData{
|
||||
Email: email,
|
||||
Password: password,
|
||||
AccountCreated: time.Now(),
|
||||
LastLogin: time.Now(),
|
||||
Password: hash_password(password),
|
||||
AccountCreated: now,
|
||||
LastLogin: now,
|
||||
}
|
||||
// Make session valid
|
||||
session.Values[SESSION_AUTH] = true
|
||||
session.Values[SESSION_STARTED] = now
|
||||
// Send session token to browser
|
||||
session.Save(r, w)
|
||||
// Redirect to index.html
|
||||
fmt.Println("Registered user: ", email)
|
||||
http.Redirect(w, r, "/", http.StatusFound)
|
||||
default:
|
||||
http.Error(w, "Forbidden", http.StatusForbidden)
|
||||
|
|
@ -130,7 +145,8 @@ func (s *Server) handle_logout(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
// Remove session cookie
|
||||
http.SetCookie(w, &http.Cookie{
|
||||
Name: SESSION_COOKIE_NAME,
|
||||
Name: SESSION_COOKIE_NAME,
|
||||
// Negative max age immediately removes the cookie
|
||||
MaxAge: -1,
|
||||
})
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue