-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SCRAM-SHA-256 support #257
Conversation
def decode(bytes: ByteVector): Option[ServerFirst] = | ||
utf8.decodeValue(bytes.bits).toOption.flatMap { | ||
case Pattern(r, s, i) => | ||
Some(ServerFirst(r, ByteVector.fromBase64(s).get, i.toInt)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
isn’t there a fromValidBase64?
private val Pattern = """v=([A-Za-z0-9+/]+={0,2})""".r | ||
def decode(bytes: ByteVector): Option[ServerFinal] = | ||
utf8.decodeValue(bytes.bits).toOption.flatMap { | ||
case Pattern(v) => |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same. i know, the tiniest of nits but seeing get even when its impossible to fail ... -)
ByteVector.view(arr).toBase64 | ||
} | ||
clientFirstBareWithNonce(nonce) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i suppose for this kind of thing purity isn’t the point but this i assume isn’t pure with the secure random call - would we want to wrap in an effect?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know - I originally had this in a F[_]: Sync
but that percolates up the call stack. Adding a Random
effect seemed overkill. So I simplified to this version.
@@ -81,6 +81,7 @@ lazy val core = project | |||
"org.scodec" %% "scodec-cats" % "1.0.0", | |||
"com.beachape" %% "enumeratum" % "1.6.1", | |||
"org.tpolecat" %% "natchez-core" % "0.0.12", | |||
"com.ongres.stringprep" % "saslprep" % "1.1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is BSD 2-clause licensed and seems safe / unlikely to change or cause dependency issues for folks downstream. The main algorithm is here, which is 100+ lines of unicode manipulation: https://gitlab.com/ongresinc/stringprep/-/blob/development/saslprep/src/main/java/com/ongres/saslprep/SaslPrep.java
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 seems fine
Codecov Report
@@ Coverage Diff @@
## master #257 +/- ##
==========================================
+ Coverage 83.88% 84.77% +0.88%
==========================================
Files 108 111 +3
Lines 1260 1327 +67
Branches 27 27
==========================================
+ Hits 1057 1125 +68
+ Misses 203 202 -1
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Amazing contribution, thank you!
@@ -81,6 +81,7 @@ lazy val core = project | |||
"org.scodec" %% "scodec-cats" % "1.0.0", | |||
"com.beachape" %% "enumeratum" % "1.6.1", | |||
"org.tpolecat" %% "natchez-core" % "0.0.12", | |||
"com.ongres.stringprep" % "saslprep" % "1.1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 seems fine
|
||
private def Hi(str: String, salt: ByteVector, iterations: Int): ByteVector = { | ||
val spec = new javax.crypto.spec.PBEKeySpec(str.toCharArray, salt.toArray, iterations, 8 * 32) | ||
val salted = javax.crypto.SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256").generateSecret(spec).getEncoded |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shit almighty man, JCA gives me the heebiejeebies.
tagged v0.0.20 |
resolves #255