Insecure login-controller?

[dermarlo]

I think it would be better practice in login_controller.go to only issue a bearer token after explicitely checking that the user-provided password matches the hash after using bcrypt. In its current state the default is to provide a token if one specific error is not met.

if err != nil && err == bcrypt.ErrMismatchedHashAndPassword {

From what I understand the only case where this might be kind of exploited is, when the DB-stored passwords are not bcrypt hashes, which results in:
var ErrHashTooShort = "crypto/bcrypt: hashedSecret too short to be a bcrypted password"

I had that case because I had unencrypted test-data in my database.

Eventhough the attack surface might be limited here I would suggest to modify the code to teach and encourage safe best-practices.

How to validate:

• Register a new user
• change the bcrypt hash in the database to "test"
• Login with any password will issue a token from now on
• ...
• Profit :-)