Don't disclose too much informations about users

2020-04-20 11:53:33 +02:00 · 2020-04-20 11:53:33 +02:00 · efc6246685
parent 1263b87d1f
commit efc6246685
3 changed files with 40 additions and 29 deletions
--- a/api/user_auth.go
+++ b/api/user_auth.go
@ -5,6 +5,7 @@ import (
 	"errors"
 	"io"
 	"net/http"
+	"time"

 	"github.com/julienschmidt/httprouter"

@ -22,9 +23,19 @@ func init() {
 	}))
 }

+type DisplayUser struct {
+	Id               int64      `json:"id"`
+	Email            string     `json:"email"`
+	RegistrationTime *time.Time `json:"registration_time,omitempty"`
+}
+
 func validateAuthToken(_ *config.Options, u *happydns.User, _ httprouter.Params, _ io.Reader) Response {
 	return APIResponse{
-		response: u,
+		response: &DisplayUser{
+			Id:               u.Id,
+			Email:            u.Email,
+			RegistrationTime: u.RegistrationTime,
+		},
 	}
 }

@ -83,7 +94,7 @@ func checkAuth(_ httprouter.Params, body io.Reader) Response {
 		}
 	} else if !user.CheckAuth(lf.Password) {
 		return APIErrorResponse{
-			err:    errors.New(`{"status": "Invalid username or password"}`),
+			err:    errors.New(`Invalid username or password`),
 			status: http.StatusUnauthorized,
 		}
 	} else {
--- a/api/users.go
+++ b/api/users.go
@ -13,22 +13,9 @@ import (
 )

 func init() {
-	router.GET("/api/users", apiHandler(listUsers))
 	router.POST("/api/users", apiHandler(registerUser))
 }

-func listUsers(_ httprouter.Params, _ io.Reader) Response {
-	if users, err := storage.MainStore.GetUsers(); err != nil {
-		return APIErrorResponse{
-			err: err,
-		}
-	} else {
-		return APIResponse{
-			response: users,
-		}
-	}
-}
-
 type UploadedUser struct {
 	Email    string
 	Password string
--- a/model/user.go
+++ b/model/user.go
@ -8,33 +8,46 @@ import (
 )

 type User struct {
-	Id               int64  `json:"id"`
-	Email            string `json:"email"`
+	Id               int64
+	Email            string
 	Password         []byte
 	Salt             []byte
-	RegistrationTime *time.Time `json:"registration_time"`
+	RegistrationTime *time.Time
 }

 type Users []*User

 func GenPassword(password string, salt []byte) []byte {
-	return hmac.New(sha512.New512_224, []byte(password)).Sum([]byte(salt))
+	return hmac.New(sha512.New512_224, []byte(password)).Sum(salt)
 }

-func NewUser(email string, password string) (*User, error) {
-	salt := make([]byte, 64)
-	if _, err := rand.Read(salt); err != nil {
-		return nil, err
-	}
-	hashedpass := GenPassword(password, salt)
+func NewUser(email string, password string) (u *User, err error) {
 	t := time.Now()
-	return &User{
+
+	u = &User{
 		Id:               0,
 		Email:            email,
-		Password:         hashedpass,
-		Salt:             salt,
 		RegistrationTime: &t,
-	}, nil
+	}
+
+	err = u.DefinePassword(password)
+
+	return
+}
+
+// DefinePassword computes the expected hash for the given password and also
+// renew the User's Salt.
+func (u *User) DefinePassword(password string) error {
+	// Renew salt
+	u.Salt = make([]byte, 64)
+	if _, err := rand.Read(u.Salt); err != nil {
+		return err
+	}
+
+	// Compute password hash
+	u.Password = GenPassword(password, u.Salt)
+
+	return nil
 }

 func (u *User) CheckAuth(password string) bool {