feat(db)!: crypting user password as SHA256

2025-09-12 05:00:05 +00:00 · 2025-05-02 17:24:32 +03:00 · 2025-05-02 17:24:32 +03:00 · 84dbcf7869
commit 84dbcf7869
parent 3d54e33051
4 changed files with 22 additions and 7 deletions
--- a/database/db.go
+++ b/database/db.go
@ -10,6 +10,7 @@ import (

 	"x-ui/config"
 	"x-ui/database/model"
+	"x-ui/util/crypto"
 	"x-ui/xray"

 	"gorm.io/driver/sqlite"
@ -52,7 +53,7 @@ func initUser() error {
 	if empty {
 		user := &model.User{
 			Username:    defaultUsername,
-			Password:    defaultPassword,
+			Password:    crypto.HashSHA256(defaultPassword),
 			LoginSecret: defaultSecret,
 		}
 		return db.Create(user).Error
--- a/util/crypto/crypto.go
+++ b/util/crypto/crypto.go
@ -0,0 +1,12 @@
+package crypto
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+)
+
+func HashSHA256(text string) string {
+	hasher := sha256.New()
+	hasher.Write([]byte(text))
+	return hex.EncodeToString(hasher.Sum(nil))
+}
--- a/web/controller/setting.go
+++ b/web/controller/setting.go
@ -4,6 +4,7 @@ import (
 	"errors"
 	"time"

+	"x-ui/util/crypto"
 	"x-ui/web/entity"
 	"x-ui/web/service"
 	"x-ui/web/session"
@ -84,7 +85,7 @@ func (a *SettingController) updateUser(c *gin.Context) {
 		return
 	}
 	user := session.GetLoginUser(c)
-	if user.Username != form.OldUsername || user.Password != form.OldPassword {
+	if user.Username != form.OldUsername || user.Password != crypto.HashSHA256(form.OldPassword) {
 		jsonMsg(c, I18nWeb(c, "pages.settings.toasts.modifyUser"), errors.New(I18nWeb(c, "pages.settings.toasts.originalUserPassIncorrect")))
 		return
 	}
@ -95,7 +96,7 @@ func (a *SettingController) updateUser(c *gin.Context) {
 	err = a.userService.UpdateUser(user.Id, form.NewUsername, form.NewPassword)
 	if err == nil {
 		user.Username = form.NewUsername
-		user.Password = form.NewPassword
+		user.Password = crypto.HashSHA256(form.NewPassword)
 		session.SetLoginUser(c, user)
 	}
 	jsonMsg(c, I18nWeb(c, "pages.settings.toasts.modifyUser"), err)
--- a/web/service/user.go
+++ b/web/service/user.go
@ -6,6 +6,7 @@ import (
 	"x-ui/database"
 	"x-ui/database/model"
 	"x-ui/logger"
+	"x-ui/util/crypto"

 	"gorm.io/gorm"
 )
@ -30,7 +31,7 @@ func (s *UserService) CheckUser(username string, password string, secret string)

 	user := &model.User{}
 	err := db.Model(model.User{}).
-		Where("username = ? and password = ? and login_secret = ?", username, password, secret).
+		Where("username = ? and password = ? and login_secret = ?", username, crypto.HashSHA256(password), secret).
 		First(user).
 		Error
 	if err == gorm.ErrRecordNotFound {
@ -46,7 +47,7 @@ func (s *UserService) UpdateUser(id int, username string, password string) error
 	db := database.GetDB()
 	return db.Model(model.User{}).
 		Where("id = ?", id).
-		Updates(map[string]any{"username": username, "password": password}).
+		Updates(map[string]any{"username": username, "password": crypto.HashSHA256(password)}).
 		Error
 }

@ -105,12 +106,12 @@ func (s *UserService) UpdateFirstUser(username string, password string) error {
 	err := db.Model(model.User{}).First(user).Error
 	if database.IsNotFound(err) {
 		user.Username = username
-		user.Password = password
+		user.Password = crypto.HashSHA256(password)
 		return db.Model(model.User{}).Create(user).Error
 	} else if err != nil {
 		return err
 	}
 	user.Username = username
-	user.Password = password
+	user.Password = crypto.HashSHA256(password)
 	return db.Save(user).Error
 }