brunel/auth/auth.go

package auth

import (
	"brunel/config"
	"brunel/domain"
	"brunel/helpers"
	"crypto/rand"
	"crypto/subtle"
	"encoding/base64"
	"errors"
	"fmt"
	"log/slog"
	"strings"
	"time"

	"golang.org/x/crypto/argon2"
)

type Params struct {
	Memory      uint32
	Iterations  uint32
	Parallelism uint8
	KeyLength   uint32
}

func NewPasswordHash(password string) string {
	params := &Params{
		Memory:      64 * 1024,
		Iterations:  3,
		Parallelism: 2,
		KeyLength:   32,
	}
	salt := []byte(config.Configs.Salt)
	hash := argon2.IDKey([]byte(password), salt, params.Iterations, params.Memory, params.Parallelism, params.KeyLength)
	return fmt.Sprintf("$argon2id$v=19$m=%d,t=%d,p=%d$%s$%s", params.Memory, params.Iterations, params.Parallelism, base64.RawURLEncoding.EncodeToString(salt), base64.RawURLEncoding.EncodeToString(hash))
}

func VerifyPassword(username, password string) (bool, error) {
	var user domain.User
	user, err := helpers.DBInst.GetUser(username)
	if err != nil {
		usr, ok := config.Users[username]
		if !ok {
			return false, errors.New("user not found")
		}
		user = usr
	}

	encodedHash := user.PasswordHash
	_, _, _, _, salt, hash, err := decodeHash(encodedHash)
	if err != nil {
		slog.Error(err.Error())
		return false, err
	}
	params := &Params{
		Memory:      64 * 1024,
		Iterations:  3,
		Parallelism: 2,
		KeyLength:   32,
	}

	newHash := argon2.IDKey([]byte(password), salt, params.Iterations, params.Memory, params.Parallelism, params.KeyLength)
	if subtle.ConstantTimeCompare(hash, newHash) == 1 {
		return true, nil
	}
	return false, nil
}

func GenerateAndStoreSessionToken(username string) (string, error) {
	token := make([]byte, 32)
	_, err := rand.Read(token)
	if err != nil {
		return "", err
	}

	endcodedToken := base64.RawURLEncoding.EncodeToString(token)
	helpers.DBInst.CreateSession(domain.Session{
		Token:    endcodedToken,
		Username: username,
		Expiry:   time.Now().Add(24 * time.Hour),
	})
	return endcodedToken, nil
}

func CheckSessionToken(token string) (bool, string) {
	session, err := helpers.DBInst.GetSession(token)
	if err != nil {
		return false, ""
	}
	return true, session.Username
}

func decodeHash(encodedHash string) (version int, memory, iterations, parallelism uint32, salt, hash []byte, err error) {
	parts := strings.Split(encodedHash, "$")
	if len(parts) != 6 {
		return 0, 0, 0, 0, nil, nil, fmt.Errorf("invalid hash format")
	}

	if parts[1] != "argon2id" {
		return 0, 0, 0, 0, nil, nil, fmt.Errorf("unsupported hash algorithm")
	}

	var v int
	_, err = fmt.Sscanf(parts[2], "v=%d", &v)
	if err != nil {
		return 0, 0, 0, 0, nil, nil, fmt.Errorf("invalid version: %v", err)
	}
	version = v

	_, err = fmt.Sscanf(parts[3], "m=%d,t=%d,p=%d", &memory, &iterations, &parallelism)
	if err != nil {
		return 0, 0, 0, 0, nil, nil, fmt.Errorf("invalid parameters: %v", err)
	}

	salt, err = base64.RawURLEncoding.DecodeString(parts[4])
	if err != nil {
		return 0, 0, 0, 0, nil, nil, fmt.Errorf("invalid salt: %v", err)
	}

	hash, err = base64.RawURLEncoding.DecodeString(parts[5])
	if err != nil {
		return 0, 0, 0, 0, nil, nil, fmt.Errorf("invalid hash: %v", err)
	}

	return version, memory, iterations, parallelism, salt, hash, nil
}
Initial Commit 2024-07-28 20:59:50 +02:00			`package auth`

			`import (`
			`"brunel/config"`
			`"brunel/domain"`
			`"brunel/helpers"`
			`"crypto/rand"`
			`"crypto/subtle"`
			`"encoding/base64"`
			`"errors"`
			`"fmt"`
			`"log/slog"`
			`"strings"`
			`"time"`

			`"golang.org/x/crypto/argon2"`
			`)`

			`type Params struct {`
			`Memory uint32`
			`Iterations uint32`
			`Parallelism uint8`
			`KeyLength uint32`
			`}`

			`func NewPasswordHash(password string) string {`
			`params := &Params{`
			`Memory: 64 * 1024,`
			`Iterations: 3,`
			`Parallelism: 2,`
			`KeyLength: 32,`
			`}`
			`salt := []byte(config.Configs.Salt)`
			`hash := argon2.IDKey([]byte(password), salt, params.Iterations, params.Memory, params.Parallelism, params.KeyLength)`
			`return fmt.Sprintf("$argon2id$v=19$m=%d,t=%d,p=%d$%s$%s", params.Memory, params.Iterations, params.Parallelism, base64.RawURLEncoding.EncodeToString(salt), base64.RawURLEncoding.EncodeToString(hash))`
			`}`

			`func VerifyPassword(username, password string) (bool, error) {`
			`var user domain.User`
			`user, err := helpers.DBInst.GetUser(username)`
			`if err != nil {`
			`usr, ok := config.Users[username]`
			`if !ok {`
			`return false, errors.New("user not found")`
			`}`
			`user = usr`
			`}`

			`encodedHash := user.PasswordHash`
			`_, _, _, _, salt, hash, err := decodeHash(encodedHash)`
			`if err != nil {`
			`slog.Error(err.Error())`
			`return false, err`
			`}`
			`params := &Params{`
			`Memory: 64 * 1024,`
			`Iterations: 3,`
			`Parallelism: 2,`
			`KeyLength: 32,`
			`}`

			`newHash := argon2.IDKey([]byte(password), salt, params.Iterations, params.Memory, params.Parallelism, params.KeyLength)`
			`if subtle.ConstantTimeCompare(hash, newHash) == 1 {`
			`return true, nil`
			`}`
			`return false, nil`
			`}`

			`func GenerateAndStoreSessionToken(username string) (string, error) {`
			`token := make([]byte, 32)`
			`_, err := rand.Read(token)`
			`if err != nil {`
			`return "", err`
			`}`

			`endcodedToken := base64.RawURLEncoding.EncodeToString(token)`
			`helpers.DBInst.CreateSession(domain.Session{`
			`Token: endcodedToken,`
			`Username: username,`
			`Expiry: time.Now().Add(24 * time.Hour),`
			`})`
			`return endcodedToken, nil`
			`}`

			`func CheckSessionToken(token string) (bool, string) {`
			`session, err := helpers.DBInst.GetSession(token)`
			`if err != nil {`
			`return false, ""`
			`}`
			`return true, session.Username`
			`}`

			`func decodeHash(encodedHash string) (version int, memory, iterations, parallelism uint32, salt, hash []byte, err error) {`
			`parts := strings.Split(encodedHash, "$")`
			`if len(parts) != 6 {`
			`return 0, 0, 0, 0, nil, nil, fmt.Errorf("invalid hash format")`
			`}`

			`if parts[1] != "argon2id" {`
			`return 0, 0, 0, 0, nil, nil, fmt.Errorf("unsupported hash algorithm")`
			`}`

			`var v int`
			`_, err = fmt.Sscanf(parts[2], "v=%d", &v)`
			`if err != nil {`
			`return 0, 0, 0, 0, nil, nil, fmt.Errorf("invalid version: %v", err)`
			`}`
			`version = v`

			`_, err = fmt.Sscanf(parts[3], "m=%d,t=%d,p=%d", &memory, &iterations, &parallelism)`
			`if err != nil {`
			`return 0, 0, 0, 0, nil, nil, fmt.Errorf("invalid parameters: %v", err)`
			`}`

			`salt, err = base64.RawURLEncoding.DecodeString(parts[4])`
			`if err != nil {`
			`return 0, 0, 0, 0, nil, nil, fmt.Errorf("invalid salt: %v", err)`
			`}`

			`hash, err = base64.RawURLEncoding.DecodeString(parts[5])`
			`if err != nil {`
			`return 0, 0, 0, 0, nil, nil, fmt.Errorf("invalid hash: %v", err)`
			`}`

			`return version, memory, iterations, parallelism, salt, hash, nil`
			`}`