fix password check

LiterMC · Oct 13, 2023 · 6df89be · 6df89be
1 parent 60322d0
commit 6df89be
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 5 deletions.
diff --git a/cmds/liter-server/api_v1.go b/cmds/liter-server/api_v1.go
@@ -49,14 +49,22 @@ func (s *Server)checkToken(ctx *gin.Context, token string)(ok bool){
 		jwt.WithIssuer(jwtIssuer),
 	)
 	if err != nil {
+		loger.Debugf("JWT verify error: %v", err)
 		return false
 	}
 	c, ok := t.Claims.(jwt.MapClaims)
 	if !ok {
+		loger.Debugf("JWT claim is not jwt.MapClaims")
 		return false
 	}
 	id := ctx.GetString(clientIdKey)
 	if c["cli"] != id {
+		loger.Debugf("JWT cli %q not match %q", c["cli"], id)
+		return false
+	}
+	if jti, ok := c["jti"].(string); !ok || !checkTokenId(jti) {
+		ctx.Set(clientTokenIdKey, jti)
+		loger.Debug("JWT id not exist")
 		return false
 	}
 	if u, ok := c["user"]; !ok {
@@ -134,6 +142,13 @@ func (s *Server)initV1(v1 *gin.RouterGroup){
 		})
 	})
 
+	v1.POST("/logout", s.checkTokenMiddle, func(ctx *gin.Context){
+		unregisterTokenId(ctx.GetString(clientTokenIdKey))
+		ctx.JSON(http.StatusOK, gin.H{
+			"status": "ok",
+		})
+	})
+
 	v1.GET("/verify", s.checkTokenMiddle, func(ctx *gin.Context){
 		ctx.JSON(http.StatusOK, gin.H{
 			"status": "ok",
@@ -154,7 +169,8 @@ func (s *Server)initV1(v1 *gin.RouterGroup){
 		}
 
 		u := s.users.GetUser(user)
-		if u == nil || !u.CheckPassword(req.OldPasswd) {
+		ok := u.CheckPassword(req.OldPasswd)
+		if u == nil || !ok {
 			ctx.AbortWithStatusJSON(http.StatusUnauthorized, RequestFailedFromString(
 				"AuthError", "Password is error",
 			))

diff --git a/cmds/liter-server/dashboard b/cmds/liter-server/dashboard
diff --git a/cmds/liter-server/main.go b/cmds/liter-server/main.go
@@ -152,7 +152,8 @@ func main(){
 				root := &User{
 					Name: "root",
 				}
-				root.SetPassword(passwd)
+				// one more sha from the browser
+				root.SetPassword(asSha256Hex(passwd))
 				if err := server.users.AddUser(root); err != nil {
 					loger.Errorf("Cannot create new user: %v", err)
 				}else{
@@ -280,7 +281,7 @@ func listenAndServeHTTP(server *http.Server)(exited chan struct{}, err error){
 	exit := make(chan struct{}, 0)
 	go func(){
 		defer close(exit)
-		if err := server.Serve(listener); err != nil && !errors.Is(err, net.ErrClosed) {
+		if err := server.Serve(listener); err != nil && !errors.Is(err, http.ErrServerClosed) {
 			loger.Errorf("Error on serve: %v", err)
 		}
 	}()

diff --git a/cmds/liter-server/user.go b/cmds/liter-server/user.go
@@ -27,7 +27,7 @@ func (u *User)SetPassword(pswd string){
 }
 
 func (u *User)CheckPassword(pswd string)(ok bool){
-	return subtle.ConstantTimeCompare(([]byte)(u.Password), ([]byte)(asSha256(pswd))) == 0
+	return subtle.ConstantTimeCompare(([]byte)(u.Password), ([]byte)(asSha256(pswd))) == 1
 }
 
 type UserStorage struct {

diff --git a/cmds/liter-server/utils.go b/cmds/liter-server/utils.go
@@ -6,6 +6,7 @@ import (
 	"crypto/rand"
 	"crypto/sha256"
 	"encoding/base64"
+	"encoding/hex"
 	"net"
 	"runtime"
 	"sort"
@@ -203,11 +204,17 @@ func genRandB64(n int)(s string, err error){
 	return
 }
 
+// return a URL encoded base64 string
 func asSha256(s string)(string){
 	buf := sha256.Sum256(([]byte)(s))
 	return base64.RawURLEncoding.EncodeToString(buf[:])
 }
 
+func asSha256Hex(s string)(string){
+	buf := sha256.Sum256(([]byte)(s))
+	return hex.EncodeToString(buf[:])
+}
+
 func toSeconds(t time.Time)(float64){
 	return (float64)(t.Unix()) + (float64)(t.UnixNano() % 1e9) / 1e9
 }

diff --git a/cmds/liter-server/web.go b/cmds/liter-server/web.go
@@ -42,6 +42,7 @@ const (
 const (
 	clientIdKey = "liter.client.id"
 	clientUserKey = "liter.client.user"
+	clientTokenIdKey = "liter.client.jti"
 )
 
 var hmacKey []byte = func()(key []byte){