-
Notifications
You must be signed in to change notification settings - Fork 0
/
db.go
148 lines (134 loc) · 3.74 KB
/
db.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
package auth
import (
"context"
"crypto/rand"
"crypto/subtle"
"database/sql"
"errors"
"fmt"
"io"
"path/filepath"
"runtime"
"github.com/google/uuid"
"golang.org/x/crypto/argon2"
"github.com/uptrace/bun/driver/sqliteshim"
)
func OpenDir(ctx context.Context, dir string) (*sql.DB, error) {
db, err := sql.Open(sqliteshim.ShimName, fmt.Sprintf("file:%v?_pragma=foreign_keys(1)", filepath.Join(dir, "users.db")))
if err != nil {
return nil, err
}
err = InitDB(ctx, db)
if err != nil {
return nil, err
}
return db, nil
}
func OpenMemory(ctx context.Context) (*sql.DB, error) {
db, err := sql.Open(sqliteshim.ShimName, "file::memory:?cache=shared")
if err != nil {
return nil, err
}
err = InitDB(ctx, db)
if err != nil {
return nil, err
}
return db, nil
}
// InitDB creates the required tables on the given db object
func InitDB(ctx context.Context, db *sql.DB) error {
return execCmds(ctx, db, []string{
`create table if not exists db_users(
uid text not null,
login text not null,
salt blob not null,
passwd blob not null,
active integer not null,
primary key(uid),
unique(login))`,
`create table if not exists db_tokens(token_id text not null,
token_type text not null,
uid text not null,
salt blob not null,
token blob not null,
created_at_unix integer not null,
expires_at_unix integer not null,
primary key(token_id))`,
})
}
// RegisterUser with the given login and password
func RegisterUser(ctx context.Context, db *sql.DB, login string, passwd []byte) (string, error) {
uid, err := uuid.NewRandom()
if err != nil {
return "", err
}
salt, salted, err := saltPassword(passwd)
if err != nil {
return "", err
}
_, err = db.ExecContext(ctx, `insert into db_users(uid, login, salt, passwd, active) values (?, ?, ?, ?, ?)`,
uid.String(), login, salt, salted, 1)
if err != nil {
return "", err
}
return uid.String(), nil
}
// ReplacePassword of given user
func ReplacePassword(ctx context.Context, db *sql.DB, login string, newpass []byte) error {
var uid string
err := db.QueryRowContext(ctx, `select uid from db_users where login = ?`, login).Scan(&uid)
if err != nil {
return err
}
salt, salted, err := saltPassword(newpass)
if err != nil {
return err
}
_, err = db.ExecContext(ctx, `update db_users set passwd = ?, salt = ? where uid = ?`, salted, salt, uid)
return err
}
// Login user
func Login(ctx context.Context, db *sql.DB, login string, plainPass []byte) (string, error) {
var uid string
var salted []byte
var salt []byte
err := db.QueryRowContext(ctx, `select uid, salt, passwd from db_users where login = ? and active = 1`, login).Scan(&uid, &salt, &salted)
if err != nil {
return "", err
}
if !validatePasswd(salt, salted, plainPass) {
return "", errors.New("auth: credentials not found or invalid")
}
return uid, nil
}
func lookupActiveLogin(ctx context.Context, uid *string, db *sql.DB, login string) error {
return db.QueryRowContext(ctx, `select uid from db_users where login = ? and active = 1`, login).Scan(uid)
}
func randomSalt(sz int) ([]byte, error) {
buf := make([]byte, sz)
_, err := io.ReadFull(rand.Reader, buf[:])
if err != nil {
return nil, err
}
return buf[:], nil
}
func saltPassword(plain []byte) ([]byte, []byte, error) {
salt, err := randomSalt(8)
if err != nil {
return nil, nil, err
}
return salt, argon2.IDKey(plain, salt, 2, 32*1024, uint8(runtime.NumCPU()), 16), nil
}
func validatePasswd(salt, salted, plain []byte) bool {
key := argon2.IDKey(plain, salt, 2, 32*1024, uint8(runtime.NumCPU()), 16)
return subtle.ConstantTimeCompare(key, salted) == 1
}
func execCmds(ctx context.Context, db *sql.DB, cmds []string) error {
for _, c := range cmds {
_, err := db.ExecContext(ctx, c)
if err != nil {
return err
}
}
return nil
}