Alex-Devera/3x-ui
1
0
Fork 0
mirror of https://github.com/MHSanaei/3x-ui.git synced 2025-09-12 13:10:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

refactor(crypto,db): using bcrypt and bcrypt.CompareHashAndPassword instead of SHA256

Browse source
This commit is contained in:
Columbiysky 2025-05-03 11:05:32 +03:00
parent 579c73df49
commit daec80fc5d
4 changed files with 48 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
database/db.go
View file

@ -53,9 +53,16 @@ func initUser() error {
return err return err
} }
if empty { if empty {
hashedPassword, err := crypto.HashPasswordAsBcrypt(defaultPassword)
if err != nil {
log.Printf("Error hashing default password: %v", err)
return err
}
user := &model.User{ user := &model.User{
Username: defaultUsername, Username: defaultUsername,
Password: crypto.HashSHA256(defaultPassword), Password: hashedPassword,
LoginSecret: defaultSecret, LoginSecret: defaultSecret,
} }
return db.Create(user).Error return db.Create(user).Error
@ -84,7 +91,12 @@ func runSeeders(isUsersEmpty bool) error {
db.Find(&users) db.Find(&users)
for _, user := range users { for _, user := range users {
db.Model(&user).Update("password", crypto.HashSHA256(user.Password)) hashedPassword, err := crypto.HashPasswordAsBcrypt(user.Password)
if err != nil {
log.Printf("Error hashing password for user '%s': %v", user.Username, err)
return err
}
db.Model(&user).Update("password", hashedPassword)
} }
hashSeeder := &model.HistoryOfSeeders{ hashSeeder := &model.HistoryOfSeeders{

15
util/crypto/crypto.go
View file

@ -1,12 +1,15 @@
package crypto package crypto
import ( import (
"crypto/sha256" "golang.org/x/crypto/bcrypt"
"encoding/hex"
) )
func HashSHA256(text string) string { func HashPasswordAsBcrypt(password string) (string, error) {
hasher := sha256.New() hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
hasher.Write([]byte(text)) return string(hash), err
return hex.EncodeToString(hasher.Sum(nil)) }
func CheckPasswordHash(hash, password string) bool {
err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
return err == nil
} }

4
web/controller/setting.go
View file

@ -85,7 +85,7 @@ func (a *SettingController) updateUser(c *gin.Context) {
return return
} }
user := session.GetLoginUser(c) user := session.GetLoginUser(c)
if user.Username != form.OldUsername || user.Password != crypto.HashSHA256(form.OldPassword) { if user.Username != form.OldUsername || !crypto.CheckPasswordHash(user.Password, form.OldPassword) {
jsonMsg(c, I18nWeb(c, "pages.settings.toasts.modifyUser"), errors.New(I18nWeb(c, "pages.settings.toasts.originalUserPassIncorrect"))) jsonMsg(c, I18nWeb(c, "pages.settings.toasts.modifyUser"), errors.New(I18nWeb(c, "pages.settings.toasts.originalUserPassIncorrect")))
return return
} }
@ -96,7 +96,7 @@ func (a *SettingController) updateUser(c *gin.Context) {
err = a.userService.UpdateUser(user.Id, form.NewUsername, form.NewPassword) err = a.userService.UpdateUser(user.Id, form.NewUsername, form.NewPassword)
if err == nil { if err == nil {
user.Username = form.NewUsername user.Username = form.NewUsername
user.Password = crypto.HashSHA256(form.NewPassword) user.Password, _ = crypto.HashPasswordAsBcrypt(form.NewPassword)
session.SetLoginUser(c, user) session.SetLoginUser(c, user)
} }
jsonMsg(c, I18nWeb(c, "pages.settings.toasts.modifyUser"), err) jsonMsg(c, I18nWeb(c, "pages.settings.toasts.modifyUser"), err)

26
web/service/user.go
View file

@ -30,8 +30,9 @@ func (s *UserService) CheckUser(username string, password string, secret string)
db := database.GetDB() db := database.GetDB()
user := &model.User{} user := &model.User{}
err := db.Model(model.User{}). err := db.Model(model.User{}).
Where("username = ? and password = ? and login_secret = ?", username, crypto.HashSHA256(password), secret). Where("username = ? and login_secret = ?", username, secret).
First(user). First(user).
Error Error
if err == gorm.ErrRecordNotFound { if err == gorm.ErrRecordNotFound {
@ -40,14 +41,25 @@ func (s *UserService) CheckUser(username string, password string, secret string)
logger.Warning("check user err:", err) logger.Warning("check user err:", err)
return nil return nil
} }
if crypto.CheckPasswordHash(user.Password, password) {
return user return user
}
return nil
} }
func (s *UserService) UpdateUser(id int, username string, password string) error { func (s *UserService) UpdateUser(id int, username string, password string) error {
db := database.GetDB() db := database.GetDB()
hashedPassword, err := crypto.HashPasswordAsBcrypt(password)
if err != nil {
return err
}
return db.Model(model.User{}). return db.Model(model.User{}).
Where("id = ?", id). Where("id = ?", id).
Updates(map[string]any{"username": username, "password": crypto.HashSHA256(password)}). Updates(map[string]any{"username": username, "password": hashedPassword}).
Error Error
} }
@ -101,17 +113,23 @@ func (s *UserService) UpdateFirstUser(username string, password string) error {
} else if password == "" { } else if password == "" {
return errors.New("password can not be empty") return errors.New("password can not be empty")
} }
hashedPassword, er := crypto.HashPasswordAsBcrypt(password)
if er != nil {
return er
}
db := database.GetDB() db := database.GetDB()
user := &model.User{} user := &model.User{}
err := db.Model(model.User{}).First(user).Error err := db.Model(model.User{}).First(user).Error
if database.IsNotFound(err) { if database.IsNotFound(err) {
user.Username = username user.Username = username
user.Password = crypto.HashSHA256(password) user.Password = hashedPassword
return db.Model(model.User{}).Create(user).Error return db.Model(model.User{}).Create(user).Error
} else if err != nil { } else if err != nil {
return err return err
} }
user.Username = username user.Username = username
user.Password = crypto.HashSHA256(password) user.Password = hashedPassword
return db.Save(user).Error return db.Save(user).Error
} }