feat(Server): argon2 auth

ASM-Studios · Dec 2, 2024 · 423a4ac · 423a4ac
1 parent 8e9dadd
commit 423a4ac
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 6 deletions.
diff --git a/server/internal/controllers/auth.go b/server/internal/controllers/auth.go
@@ -24,11 +24,16 @@ func Login(c *gin.Context) {
 	email := c.PostForm("email")
 	password := c.PostForm("password")
 	var user models.User
-	db.DB.Where("email = ? AND password = ?", email, password).First(&user)
+	db.DB.Where("email = ?", email).First(&user)
 	if user.ID == 0 {
 		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid credentials"})
 		return
 	}
+	if err := utils.VerifyPassword(password, user.Password, user.Salt); err != nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid credentials"})
+		return
+	}
+
 	tokenString := utils.NewToken(c, email)
 	db.DB.Model(&user).Update("token", tokenString)
 	c.JSON(http.StatusOK, gin.H{"token": tokenString})
@@ -52,9 +57,12 @@ func Register(c *gin.Context) {
 		c.JSON(http.StatusConflict, gin.H{"error": "User already exists"})
 		return
 	}
+	password, salt := utils.HashPassword(c.PostForm("password"))
+
 	db.DB.Create(&models.User{
 		Email:    c.PostForm("email"),
-		Password: c.PostForm("password"),
+		Password: password,
+		Salt:     salt,
 		Token:    tokenString,
 	})
 	c.JSON(http.StatusOK, gin.H{"token": tokenString})

diff --git a/server/internal/models/users.go b/server/internal/models/users.go
@@ -8,5 +8,6 @@ type User struct {
 	gorm.Model
 	Email    string `gorm:"unique;not null" json:"email" binding:"required"`
 	Password string `gorm:"not null" json:"password" binding:"required"`
+	Salt     string `gorm:"not null" json:"salt"`
 	Token    string `gorm:"not null" json:"token"`
 }
diff --git a/server/internal/utils/auth.go b/server/internal/utils/auth.go
@@ -1,12 +1,32 @@
 package utils
 
 import (
+	"crypto/rand"
 	"encoding/base64"
+	"errors"
 	"golang.org/x/crypto/argon2"
+	"log"
 )
 
-func HashPassword(password string) string {
-	salt := []byte("randomSalt")
-	hash := argon2.IDKey([]byte(password), salt, 1, 64*1024, 4, 32)
-	return base64.RawStdEncoding.EncodeToString(hash)
+func VerifyPassword(password, hashedPassword, salt string) error {
+	hash := argon2.IDKey([]byte(password), []byte(salt), 1, 64*1024, 4, 32)
+	if base64.RawStdEncoding.EncodeToString(hash) != hashedPassword {
+		return errors.New("invalid password")
+	}
+	return nil
+}
+
+func randomSalt() string {
+	salt := make([]byte, 16)
+	_, err := rand.Read(salt)
+	if err != nil {
+		log.Fatalf("Error occurred while generating random salt: %v", err)
+	}
+	return base64.RawStdEncoding.EncodeToString(salt)
+}
+
+func HashPassword(password string) (string, string) {
+	salt := randomSalt()
+	hash := argon2.IDKey([]byte(password), []byte(salt), 1, 64*1024, 4, 32)
+	return base64.RawStdEncoding.EncodeToString(hash), salt
 }