You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I think it would be better practice in login_controller.go to only issue a bearer token after explicitely checking that the user-provided password matches the hash after using bcrypt. In its current state the default is to provide a token if one specific error is not met.
if err != nil && err == bcrypt.ErrMismatchedHashAndPassword {
From what I understand the only case where this might be kind of exploited is, when the DB-stored passwords are not bcrypt hashes, which results in: var ErrHashTooShort = "crypto/bcrypt: hashedSecret too short to be a bcrypted password"
I had that case because I had unencrypted test-data in my database.
Eventhough the attack surface might be limited here I would suggest to modify the code to teach and encourage safe best-practices.
How to validate:
Register a new user
change the bcrypt hash in the database to "test"
Login with any password will issue a token from now on
...
Profit :-)
The text was updated successfully, but these errors were encountered:
I think it would be better practice in login_controller.go to only issue a bearer token after explicitely checking that the user-provided password matches the hash after using bcrypt. In its current state the default is to provide a token if one specific error is not met.
if err != nil && err == bcrypt.ErrMismatchedHashAndPassword {
From what I understand the only case where this might be kind of exploited is, when the DB-stored passwords are not bcrypt hashes, which results in:
var ErrHashTooShort = "crypto/bcrypt: hashedSecret too short to be a bcrypted password"
I had that case because I had unencrypted test-data in my database.
Eventhough the attack surface might be limited here I would suggest to modify the code to teach and encourage safe best-practices.
How to validate:
The text was updated successfully, but these errors were encountered: