/
validate.go
67 lines (53 loc) · 2.23 KB
/
validate.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
/*
* eve - management toolkit for libvirt servers
* Copyright (C) 2022-2023 BNS Services LLC
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
package sessions
import (
"context"
"crypto/subtle"
"encoding/base64"
"fmt"
"github.com/BasedDevelopment/eve/internal/tokens"
"golang.org/x/crypto/sha3"
)
// ValidateSession takes a token and finds its session. Returns true if valid, false if anything else
func ValidateSession(ctx context.Context, incomingToken tokens.Token) bool {
// Get the session from the database
session, err := GetSession(ctx, incomingToken)
if err != nil {
return false // Error fetching session, almost definitely unauthenticated
}
//# Prepare the incoming secret for comparison
// Decode incoming token from base64
decodedSecret, decodeErr := base64.URLEncoding.DecodeString(incomingToken.Secret)
if decodeErr != nil {
return false // Error while decoding secret from b64, assume unauthenticated
}
// Salt and Hash the token
buf := []byte(string(decodedSecret) + incomingToken.Salt) // Append the salt to the secret
saltedSecret := make([]byte, 64)
sha3.ShakeSum256(saltedSecret, buf) // Hash the string with the combined secret and salt
// Compare the two secrets
if subtle.ConstantTimeCompare(
[]byte(session.Secret), // secret from the database (already in hex)
[]byte(fmt.Sprintf("%x", saltedSecret)), // secret from the request (now salted & hashed, and converted to hex)
) != 1 {
return false // Invalid Token, unauthenticated
}
// Check expiry
if session.isExpired() {
return false // Expired token, unauthenticated
}
return true // Passed all checks, authenticated
}