mirror of
https://github.com/volatiletech/authboss.git
synced 2025-03-05 15:15:45 +02:00
creds generator via interface
This commit is contained in:
Evghenii Maslennikov
Stephen Afam-Osemene
parent
42f90e2471
commit
434d85909f
@ -242,6 +242,9 @@ type Config struct {
|
||||
// Hasher hashes passwords into hashes
|
||||
Hasher Hasher
|
||||
|
||||
// CredsGenerator generates credentials (selector+verified+token)
|
||||
CredsGenerator CredsGenerator
|
||||
|
||||
// Logger implies just a few log levels for use, can optionally
|
||||
// also implement the ContextLogger to be able to upgrade to a
|
||||
// request specific logger.
|
||||
|
||||
@ -3,12 +3,9 @@ package confirm
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/rand"
|
||||
"crypto/sha512"
|
||||
"crypto/subtle"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"path"
|
||||
@ -33,9 +30,6 @@ const (
|
||||
// DataConfirmURL is the name of the e-mail template variable
|
||||
// that gives the url to send to the user for confirmation.
|
||||
DataConfirmURL = "url"
|
||||
|
||||
confirmTokenSize = 64
|
||||
confirmTokenSplit = confirmTokenSize / 2
|
||||
)
|
||||
|
||||
func init() {
|
||||
@ -128,7 +122,7 @@ func (c *Confirm) StartConfirmationWeb(w http.ResponseWriter, r *http.Request, h
|
||||
func (c *Confirm) StartConfirmation(ctx context.Context, user authboss.ConfirmableUser, sendEmail bool) error {
|
||||
logger := c.Authboss.Logger(ctx)
|
||||
|
||||
selector, verifier, token, err := GenerateConfirmCreds()
|
||||
selector, verifier, token, err := c.Authboss.Core.CredsGenerator.GenerateCreds()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -198,13 +192,14 @@ func (c *Confirm) Get(w http.ResponseWriter, r *http.Request) error {
|
||||
return c.invalidToken(w, r)
|
||||
}
|
||||
|
||||
if len(rawToken) != confirmTokenSize {
|
||||
credsGenerator := c.Authboss.Core.CredsGenerator
|
||||
|
||||
if len(rawToken) != credsGenerator.TokenSize() {
|
||||
logger.Infof("invalid confirm token submitted, size was wrong: %d", len(rawToken))
|
||||
return c.invalidToken(w, r)
|
||||
}
|
||||
|
||||
selectorBytes := sha512.Sum512(rawToken[:confirmTokenSplit])
|
||||
verifierBytes := sha512.Sum512(rawToken[confirmTokenSplit:])
|
||||
selectorBytes, verifierBytes := credsGenerator.ParseToken(string(rawToken))
|
||||
selector := base64.StdEncoding.EncodeToString(selectorBytes[:])
|
||||
|
||||
storer := authboss.EnsureCanConfirm(c.Authboss.Config.Storage.Server)
|
||||
@ -296,23 +291,3 @@ func Middleware(ab *authboss.Authboss) func(http.Handler) http.Handler {
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// GenerateConfirmCreds generates pieces needed for user confirm
|
||||
// selector: hash of the first half of a 64 byte value
|
||||
// (to be stored in the database and used in SELECT query)
|
||||
// verifier: hash of the second half of a 64 byte value
|
||||
// (to be stored in database but never used in SELECT query)
|
||||
// token: the user-facing base64 encoded selector+verifier
|
||||
func GenerateConfirmCreds() (selector, verifier, token string, err error) {
|
||||
rawToken := make([]byte, confirmTokenSize)
|
||||
if _, err = io.ReadFull(rand.Reader, rawToken); err != nil {
|
||||
return "", "", "", err
|
||||
}
|
||||
selectorBytes := sha512.Sum512(rawToken[:confirmTokenSplit])
|
||||
verifierBytes := sha512.Sum512(rawToken[confirmTokenSplit:])
|
||||
|
||||
return base64.StdEncoding.EncodeToString(selectorBytes[:]),
|
||||
base64.StdEncoding.EncodeToString(verifierBytes[:]),
|
||||
base64.URLEncoding.EncodeToString(rawToken),
|
||||
nil
|
||||
}
|
||||
|
||||
@ -73,6 +73,7 @@ func testSetup() *testHarness {
|
||||
harness.ab.Config.Core.BodyReader = harness.bodyReader
|
||||
harness.ab.Config.Core.Logger = mocks.Logger{}
|
||||
harness.ab.Config.Core.Hasher = defaults.NewBCryptHasher(harness.ab.Modules.BCryptCost)
|
||||
harness.ab.Config.Core.CredsGenerator = defaults.NewSha512CredsGenerator()
|
||||
harness.ab.Config.Core.Mailer = harness.mailer
|
||||
harness.ab.Config.Core.Redirector = harness.redirector
|
||||
harness.ab.Config.Core.MailRenderer = harness.renderer
|
||||
@ -178,7 +179,7 @@ func TestGetSuccess(t *testing.T) {
|
||||
|
||||
harness := testSetup()
|
||||
|
||||
selector, verifier, token, err := GenerateConfirmCreds()
|
||||
selector, verifier, token, err := harness.ab.Config.Core.CredsGenerator.GenerateCreds()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
@ -273,7 +274,7 @@ func TestGetUserNotFoundFailure(t *testing.T) {
|
||||
|
||||
harness := testSetup()
|
||||
|
||||
_, _, token, err := GenerateConfirmCreds()
|
||||
_, _, token, err := harness.ab.Config.Core.CredsGenerator.GenerateCreds()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
@ -382,7 +383,9 @@ func TestMailURL(t *testing.T) {
|
||||
func TestGenerateRecoverCreds(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
selector, verifier, token, err := GenerateConfirmCreds()
|
||||
credsGenerator := defaults.NewSha512CredsGenerator()
|
||||
|
||||
selector, verifier, token, err := credsGenerator.GenerateCreds()
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
@ -391,6 +394,8 @@ func TestGenerateRecoverCreds(t *testing.T) {
|
||||
t.Error("the verifier and selector should be different")
|
||||
}
|
||||
|
||||
confirmTokenSplit := credsGenerator.TokenSize() / 2
|
||||
|
||||
// base64 length: n = 64; 4*(64/3) = 85.3; round to nearest 4: 88
|
||||
if len(verifier) != 88 {
|
||||
t.Errorf("verifier length was wrong (%d): %s", len(verifier), verifier)
|
||||
|
||||
13
creds_generator.go
Normal file
13
creds_generator.go
Normal file
@ -0,0 +1,13 @@
|
||||
package authboss
|
||||
|
||||
type CredsGenerator interface {
|
||||
// GenerateCreds generates pieces needed as credentials
|
||||
// selector: to be stored in the database and used in SELECT query
|
||||
// verifier: to be stored in database but never used in SELECT query
|
||||
// token: the user-facing base64 encoded selector+verifier
|
||||
GenerateCreds() (selector, verifier, token string, err error)
|
||||
|
||||
ParseToken(token string) (selectorBytes, verifierBytes []byte)
|
||||
|
||||
TokenSize() int
|
||||
}
|
||||
52
defaults/creds_generator.go
Normal file
52
defaults/creds_generator.go
Normal file
@ -0,0 +1,52 @@
|
||||
package defaults
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
"crypto/sha512"
|
||||
"encoding/base64"
|
||||
"io"
|
||||
)
|
||||
|
||||
const (
|
||||
tokenSize = 64
|
||||
tokenSplit = tokenSize / 2
|
||||
)
|
||||
|
||||
type Sha512CredsGenerator struct{}
|
||||
|
||||
func NewSha512CredsGenerator() *Sha512CredsGenerator {
|
||||
return &Sha512CredsGenerator{}
|
||||
}
|
||||
|
||||
// GenerateCreds generates pieces needed as credentials
|
||||
// selector: hash of the first half of an N byte value
|
||||
// (to be stored in the database and used in SELECT query)
|
||||
// verifier: hash of the second half of an N byte value
|
||||
// (to be stored in database but never used in SELECT query)
|
||||
// token: the user-facing base64 encoded selector+verifier
|
||||
func (cg *Sha512CredsGenerator) GenerateCreds() (selector, verifier, token string, err error) {
|
||||
rawToken := make([]byte, tokenSize)
|
||||
if _, err = io.ReadFull(rand.Reader, rawToken); err != nil {
|
||||
return "", "", "", err
|
||||
}
|
||||
|
||||
selectorBytes := sha512.Sum512(rawToken[:tokenSplit])
|
||||
verifierBytes := sha512.Sum512(rawToken[tokenSplit:])
|
||||
|
||||
return base64.StdEncoding.EncodeToString(selectorBytes[:]),
|
||||
base64.StdEncoding.EncodeToString(verifierBytes[:]),
|
||||
base64.URLEncoding.EncodeToString(rawToken),
|
||||
nil
|
||||
}
|
||||
|
||||
func (cg *Sha512CredsGenerator) ParseToken(rawToken string) (selectorBytes, verifierBytes []byte) {
|
||||
selectorBytes64 := sha512.Sum512([]byte(rawToken)[:tokenSplit])
|
||||
selectorBytes = selectorBytes64[:]
|
||||
|
||||
verifierBytes64 := sha512.Sum512([]byte(rawToken)[tokenSplit:])
|
||||
verifierBytes = verifierBytes64[:]
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (cg *Sha512CredsGenerator) TokenSize() int { return tokenSize }
|
||||
40
defaults/creds_generator_test.go
Normal file
40
defaults/creds_generator_test.go
Normal file
@ -0,0 +1,40 @@
|
||||
package defaults
|
||||
|
||||
import (
|
||||
"encoding/base64"
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestCredsGenerator(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
credsGenerator := NewSha512CredsGenerator()
|
||||
|
||||
selector, verifier, tokenEncoded, err := credsGenerator.GenerateCreds()
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
|
||||
// let's decode the token
|
||||
tokenBytes, err := base64.URLEncoding.DecodeString(tokenEncoded)
|
||||
token := string(tokenBytes)
|
||||
|
||||
if len(token) != credsGenerator.TokenSize() {
|
||||
t.Error("token size is invalid", len(token))
|
||||
}
|
||||
|
||||
selectorBytes, verifierBytes := credsGenerator.ParseToken(token)
|
||||
|
||||
// encode back and verify
|
||||
|
||||
selectorParsed := base64.StdEncoding.EncodeToString(selectorBytes[:])
|
||||
verifierParsed := base64.StdEncoding.EncodeToString(verifierBytes[:])
|
||||
|
||||
if selectorParsed != selector {
|
||||
t.Error("selector generated wrong", selector, selectorParsed)
|
||||
}
|
||||
|
||||
if verifierParsed != verifier {
|
||||
t.Error("verifier generated wrong", verifier, verifierParsed)
|
||||
}
|
||||
}
|
||||
@ -26,5 +26,6 @@ func SetCore(config *authboss.Config, readJSON, useUsername bool) {
|
||||
config.Core.BodyReader = NewHTTPBodyReader(readJSON, useUsername)
|
||||
config.Core.Mailer = NewLogMailer(os.Stdout)
|
||||
config.Core.Hasher = NewBCryptHasher(config.Modules.BCryptCost)
|
||||
config.Core.CredsGenerator = NewSha512CredsGenerator()
|
||||
config.Core.Logger = logger
|
||||
}
|
||||
|
||||
@ -36,4 +36,10 @@ func TestSetCore(t *testing.T) {
|
||||
if config.Core.Logger == nil {
|
||||
t.Error("logger should be set")
|
||||
}
|
||||
if config.Core.Hasher == nil {
|
||||
t.Error("hasher should be set")
|
||||
}
|
||||
if config.Core.CredsGenerator == nil {
|
||||
t.Error("creds-generator should be set")
|
||||
}
|
||||
}
|
||||
|
||||
@ -3,13 +3,10 @@ package recover
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/rand"
|
||||
"crypto/sha512"
|
||||
"crypto/subtle"
|
||||
"encoding/base64"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"path"
|
||||
@ -33,9 +30,6 @@ const (
|
||||
PageRecoverEnd = "recover_end"
|
||||
|
||||
recoverInitiateSuccessFlash = "An email has been sent to you with further instructions on how to reset your password."
|
||||
|
||||
recoverTokenSize = 64
|
||||
recoverTokenSplit = recoverTokenSize / 2
|
||||
)
|
||||
|
||||
func init() {
|
||||
@ -112,7 +106,7 @@ func (r *Recover) StartPost(w http.ResponseWriter, req *http.Request) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
selector, verifier, token, err := GenerateRecoverCreds()
|
||||
selector, verifier, token, err := r.Authboss.Config.Core.CredsGenerator.GenerateCreds()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -227,13 +221,14 @@ func (r *Recover) EndPost(w http.ResponseWriter, req *http.Request) error {
|
||||
return r.invalidToken(PageRecoverEnd, w, req)
|
||||
}
|
||||
|
||||
if len(rawToken) != recoverTokenSize {
|
||||
credsGenerator := r.Authboss.Core.CredsGenerator
|
||||
|
||||
if len(rawToken) != credsGenerator.TokenSize() {
|
||||
logger.Infof("invalid recover token submitted, size was wrong: %d", len(rawToken))
|
||||
return r.invalidToken(PageRecoverEnd, w, req)
|
||||
}
|
||||
|
||||
selectorBytes := sha512.Sum512(rawToken[:recoverTokenSplit])
|
||||
verifierBytes := sha512.Sum512(rawToken[recoverTokenSplit:])
|
||||
selectorBytes, verifierBytes := credsGenerator.ParseToken(string(rawToken))
|
||||
selector := base64.StdEncoding.EncodeToString(selectorBytes[:])
|
||||
|
||||
storer := authboss.EnsureCanRecover(r.Authboss.Config.Storage.Server)
|
||||
@ -340,23 +335,3 @@ func (r *Recover) mailURL(token string) string {
|
||||
p := path.Join(r.Config.Paths.Mount, "recover/end")
|
||||
return fmt.Sprintf("%s%s?%s", r.Config.Paths.RootURL, p, query.Encode())
|
||||
}
|
||||
|
||||
// GenerateRecoverCreds generates pieces needed for user recovery
|
||||
// selector: hash of the first half of a 64 byte value
|
||||
// (to be stored in the database and used in SELECT query)
|
||||
// verifier: hash of the second half of a 64 byte value
|
||||
// (to be stored in database but never used in SELECT query)
|
||||
// token: the user-facing base64 encoded selector+verifier
|
||||
func GenerateRecoverCreds() (selector, verifier, token string, err error) {
|
||||
rawToken := make([]byte, recoverTokenSize)
|
||||
if _, err = io.ReadFull(rand.Reader, rawToken); err != nil {
|
||||
return "", "", "", err
|
||||
}
|
||||
selectorBytes := sha512.Sum512(rawToken[:recoverTokenSplit])
|
||||
verifierBytes := sha512.Sum512(rawToken[recoverTokenSplit:])
|
||||
|
||||
return base64.StdEncoding.EncodeToString(selectorBytes[:]),
|
||||
base64.StdEncoding.EncodeToString(verifierBytes[:]),
|
||||
base64.URLEncoding.EncodeToString(rawToken),
|
||||
nil
|
||||
}
|
||||
|
||||
@ -87,6 +87,7 @@ func testSetup() *testHarness {
|
||||
harness.ab.Config.Core.BodyReader = harness.bodyReader
|
||||
harness.ab.Config.Core.Logger = mocks.Logger{}
|
||||
harness.ab.Config.Core.Hasher = defaults.NewBCryptHasher(harness.ab.Config.Modules.BCryptCost)
|
||||
harness.ab.Config.Core.CredsGenerator = defaults.NewSha512CredsGenerator()
|
||||
harness.ab.Config.Core.Mailer = harness.mailer
|
||||
harness.ab.Config.Core.Redirector = harness.redirector
|
||||
harness.ab.Config.Core.MailRenderer = harness.renderer
|
||||
@ -472,10 +473,13 @@ func invalidCheck(t *testing.T, h *testHarness, w *httptest.ResponseRecorder) {
|
||||
func TestGenerateRecoverCreds(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
selector, verifier, token, err := GenerateRecoverCreds()
|
||||
credsGenerator := defaults.NewSha512CredsGenerator()
|
||||
|
||||
selector, verifier, token, err := credsGenerator.GenerateCreds()
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
t.Fatal(err)
|
||||
}
|
||||
recoverTokenSplit := credsGenerator.TokenSize() / 2
|
||||
|
||||
if verifier == selector {
|
||||
t.Error("the verifier and selector should be different")
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user