refactor(crypto,db): using bcrypt and bcrypt.CompareHashAndPassword instead of SHA256

2025-09-12 13:10:05 +00:00 · 2025-05-03 11:05:32 +03:00 · 2025-05-03 11:05:32 +03:00 · daec80fc5d
commit daec80fc5d
parent 579c73df49
4 changed files with 48 additions and 15 deletions
--- a/database/db.go
+++ b/database/db.go
@ -53,9 +53,16 @@ func initUser() error {
 		return err
 	}
 	if empty {
+		hashedPassword, err := crypto.HashPasswordAsBcrypt(defaultPassword)
+
+		if err != nil {
+			log.Printf("Error hashing default password: %v", err)
+			return err
+		}
+
 		user := &model.User{
 			Username:    defaultUsername,
-			Password:    crypto.HashSHA256(defaultPassword),
+			Password:    hashedPassword,
 			LoginSecret: defaultSecret,
 		}
 		return db.Create(user).Error
@ -84,7 +91,12 @@ func runSeeders(isUsersEmpty bool) error {
 			db.Find(&users)

 			for _, user := range users {
-				db.Model(&user).Update("password", crypto.HashSHA256(user.Password))
+				hashedPassword, err := crypto.HashPasswordAsBcrypt(user.Password)
+				if err != nil {
+					log.Printf("Error hashing password for user '%s': %v", user.Username, err)
+					return err
+				}
+				db.Model(&user).Update("password", hashedPassword)
 			}

 			hashSeeder := &model.HistoryOfSeeders{
--- a/util/crypto/crypto.go
+++ b/util/crypto/crypto.go
@ -1,12 +1,15 @@
 package crypto

 import (
-	"crypto/sha256"
-	"encoding/hex"
+	"golang.org/x/crypto/bcrypt"
 )

-func HashSHA256(text string) string {
-	hasher := sha256.New()
-	hasher.Write([]byte(text))
-	return hex.EncodeToString(hasher.Sum(nil))
+func HashPasswordAsBcrypt(password string) (string, error) {
+	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	return string(hash), err
+}
+
+func CheckPasswordHash(hash, password string) bool {
+	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
+	return err == nil
 }
--- a/web/controller/setting.go
+++ b/web/controller/setting.go
@ -85,7 +85,7 @@ func (a *SettingController) updateUser(c *gin.Context) {
 		return
 	}
 	user := session.GetLoginUser(c)
-	if user.Username != form.OldUsername || user.Password != crypto.HashSHA256(form.OldPassword) {
+	if user.Username != form.OldUsername || !crypto.CheckPasswordHash(user.Password, form.OldPassword) {
 		jsonMsg(c, I18nWeb(c, "pages.settings.toasts.modifyUser"), errors.New(I18nWeb(c, "pages.settings.toasts.originalUserPassIncorrect")))
 		return
 	}
@ -96,7 +96,7 @@ func (a *SettingController) updateUser(c *gin.Context) {
 	err = a.userService.UpdateUser(user.Id, form.NewUsername, form.NewPassword)
 	if err == nil {
 		user.Username = form.NewUsername
-		user.Password = crypto.HashSHA256(form.NewPassword)
+		user.Password, _ = crypto.HashPasswordAsBcrypt(form.NewPassword)
 		session.SetLoginUser(c, user)
 	}
 	jsonMsg(c, I18nWeb(c, "pages.settings.toasts.modifyUser"), err)
--- a/web/service/user.go
+++ b/web/service/user.go
@ -30,8 +30,9 @@ func (s *UserService) CheckUser(username string, password string, secret string)
 	db := database.GetDB()

 	user := &model.User{}
+
 	err := db.Model(model.User{}).
-		Where("username = ? and password = ? and login_secret = ?", username, crypto.HashSHA256(password), secret).
+		Where("username = ? and login_secret = ?", username, secret).
 		First(user).
 		Error
 	if err == gorm.ErrRecordNotFound {
@ -40,14 +41,25 @@ func (s *UserService) CheckUser(username string, password string, secret string)
 		logger.Warning("check user err:", err)
 		return nil
 	}
+
+	if crypto.CheckPasswordHash(user.Password, password) {
 		return user
 	}

+	return nil
+}
+
 func (s *UserService) UpdateUser(id int, username string, password string) error {
 	db := database.GetDB()
+	hashedPassword, err := crypto.HashPasswordAsBcrypt(password)
+
+	if err != nil {
+		return err
+	}
+
 	return db.Model(model.User{}).
 		Where("id = ?", id).
-		Updates(map[string]any{"username": username, "password": crypto.HashSHA256(password)}).
+		Updates(map[string]any{"username": username, "password": hashedPassword}).
 		Error
 }

@ -101,17 +113,23 @@ func (s *UserService) UpdateFirstUser(username string, password string) error {
 	} else if password == "" {
 		return errors.New("password can not be empty")
 	}
+	hashedPassword, er := crypto.HashPasswordAsBcrypt(password)
+
+	if er != nil {
+		return er
+	}
+
 	db := database.GetDB()
 	user := &model.User{}
 	err := db.Model(model.User{}).First(user).Error
 	if database.IsNotFound(err) {
 		user.Username = username
-		user.Password = crypto.HashSHA256(password)
+		user.Password = hashedPassword
 		return db.Model(model.User{}).Create(user).Error
 	} else if err != nil {
 		return err
 	}
 	user.Username = username
-	user.Password = crypto.HashSHA256(password)
+	user.Password = hashedPassword
 	return db.Save(user).Error
 }