forked from rs/rest-layer
-
Notifications
You must be signed in to change notification settings - Fork 0
/
password.go
66 lines (60 loc) · 1.65 KB
/
password.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
package schema
import (
"errors"
"fmt"
"golang.org/x/crypto/bcrypt"
)
// Password crypts a field password using bcrypt algorithm.
type Password struct {
// MinLen defines the minimum password length (default 0).
MinLen int
// MaxLen defines the maximum password length (default no limit).
MaxLen int
// Cost sets a custom bcrypt hashing cost.
Cost int
}
var (
// PasswordField is a common schema field for passwords. It encrypt the
// password using bcrypt before storage and hide the value so the hash can't
// be read back.
PasswordField = Field{
Description: "Write-only field storing a secret password.",
Required: true,
Hidden: true,
Validator: &Password{},
}
)
// Validate implements FieldValidator interface.
func (v Password) Validate(value interface{}) (interface{}, error) {
s, ok := value.(string)
if !ok {
if b, ok := value.([]byte); ok {
// Maybe it's an already encoded version of the password.
if _, err := bcrypt.Cost(b); err == nil {
return b, nil
}
}
return nil, errors.New("not a string")
}
l := len(s)
if l < v.MinLen {
return nil, fmt.Errorf("is shorter than %d", v.MinLen)
}
if v.MaxLen > 0 && l > v.MaxLen {
return nil, fmt.Errorf("is longer than %d", v.MaxLen)
}
b, err := bcrypt.GenerateFromPassword([]byte(s), v.Cost)
if err != nil {
return nil, err
}
return b, nil
}
// VerifyPassword compare a field of an item payload containing a hashed
// password with a clear text password and return true if they match.
func VerifyPassword(hash interface{}, password []byte) bool {
h, ok := hash.([]byte)
if !ok {
return false
}
return bcrypt.CompareHashAndPassword(h, password) == nil
}