From c160c57da5e2a70b406ce21fd0d3b48efdc62b36 Mon Sep 17 00:00:00 2001 From: Logan Date: Sat, 28 Sep 2024 03:42:26 -0500 Subject: [PATCH] Fixed bug where login doesn't compare passwords correctly --- server.go | 10 ++++++---- users.go | 36 ++++++++++++++++++++++++++---------- 2 files changed, 32 insertions(+), 14 deletions(-) diff --git a/server.go b/server.go index c4b9890..3a89495 100644 --- a/server.go +++ b/server.go @@ -12,7 +12,9 @@ const ADDRESS = "127.0.0.1" const PORT = "8080" type Server struct { - Users map[string]UserData + // Registered user information + Users map[string]UserData + // Login sessions Sessions *sessions.CookieStore } @@ -38,10 +40,10 @@ func main() { }) // Start web server at 127.0.0.1:8080 fmt.Printf("Listening to %s on port %s...\n", ADDRESS, PORT) - e := http.ListenAndServe(ADDRESS+":"+PORT, nil) + err := http.ListenAndServe(ADDRESS+":"+PORT, nil) // Print any errors - if e != nil { + if err != nil { fmt.Println("Error starting server:") - log.Fatal(e) + log.Fatal(err) } } diff --git a/users.go b/users.go index 3181e67..ea0834d 100644 --- a/users.go +++ b/users.go @@ -1,6 +1,7 @@ package main import ( + "fmt" "net/http" "regexp" "strings" @@ -11,6 +12,7 @@ import ( const SESSION_COOKIE_NAME = "utsa-place-session" const SESSION_AUTH = "auth" +const SESSION_STARTED = "age" const ENCRYPTION_STRENGTH = 14 @@ -28,16 +30,23 @@ func validate_email(email string) (string, bool) { return email, ok } +// Encrypts a password func hash_password(password string) string { bytes, _ := bcrypt.GenerateFromPassword([]byte(password), ENCRYPTION_STRENGTH) return string(bytes) } +// Compares an unencrpyted password to an encrypted password +func check_password_hash(password string, hash string) bool { + err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password)) + return err == nil +} + // Handles requests to /login.html func (s *Server) handle_login(w http.ResponseWriter, r *http.Request) { switch r.Method { case http.MethodGet: - http.ServeFile(w, r, "./static/register.html") + http.ServeFile(w, r, "./static/login.html") case http.MethodPost: // Get data from form email := r.FormValue("email") @@ -46,12 +55,12 @@ func (s *Server) handle_login(w http.ResponseWriter, r *http.Request) { user, ok := s.Users[email] // If user does not exist if !ok { - http.Error(w, "Forbidden", http.StatusForbidden) + http.Error(w, "User not found", http.StatusForbidden) return } // If password does not match - if password != user.Password { - http.Error(w, "Forbidden", http.StatusForbidden) + if !check_password_hash(password, user.Password) { + http.Error(w, "Passwords dont match", http.StatusForbidden) return } // Generate session @@ -61,12 +70,15 @@ func (s *Server) handle_login(w http.ResponseWriter, r *http.Request) { http.Error(w, "Invalid session", http.StatusUnauthorized) return } + now := time.Now() session.Values[SESSION_AUTH] = true + session.Values[SESSION_STARTED] = now session.Save(r, w) // Update last-login on DB - user.LastLogin = time.Now() + user.LastLogin = now s.Users[email] = user // Redirect to index.html + fmt.Println("Logged in user: ", email) http.Redirect(w, r, "/", http.StatusFound) default: http.Error(w, "Forbidden", http.StatusForbidden) @@ -86,7 +98,7 @@ func (s *Server) handle_register(w http.ResponseWriter, r *http.Request) { return } password := r.FormValue("password") - if len(password) < 5 || len(password) >= 70 { + if len(password) < 8 || len(password) >= 70 { http.Error(w, "Invalid password length", http.StatusForbidden) return } @@ -103,18 +115,21 @@ func (s *Server) handle_register(w http.ResponseWriter, r *http.Request) { http.Error(w, "Invalid session", http.StatusUnauthorized) return } + now := time.Now() // Save user information to DB s.Users[email] = UserData{ Email: email, - Password: password, - AccountCreated: time.Now(), - LastLogin: time.Now(), + Password: hash_password(password), + AccountCreated: now, + LastLogin: now, } // Make session valid session.Values[SESSION_AUTH] = true + session.Values[SESSION_STARTED] = now // Send session token to browser session.Save(r, w) // Redirect to index.html + fmt.Println("Registered user: ", email) http.Redirect(w, r, "/", http.StatusFound) default: http.Error(w, "Forbidden", http.StatusForbidden) @@ -130,7 +145,8 @@ func (s *Server) handle_logout(w http.ResponseWriter, r *http.Request) { } // Remove session cookie http.SetCookie(w, &http.Cookie{ - Name: SESSION_COOKIE_NAME, + Name: SESSION_COOKIE_NAME, + // Negative max age immediately removes the cookie MaxAge: -1, }) }