2017-09-03 04:50:31 +00:00
/ *
*
* Gosora Authentication Interface
2019-10-27 23:13:24 +00:00
* Copyright Azareal 2017 - 2020
2017-09-03 04:50:31 +00:00
*
* /
2017-11-11 04:06:16 +00:00
package common
2017-06-25 09:56:39 +00:00
2018-05-27 09:36:35 +00:00
import (
2022-02-21 03:53:13 +00:00
"crypto/sha256"
"crypto/subtle"
"database/sql"
"encoding/hex"
"errors"
"net/http"
"strconv"
"strings"
"git.tuxpa.in/a/gosora/common/gauth"
qgen "git.tuxpa.in/a/gosora/query_gen"
//"golang.org/x/crypto/argon2"
"golang.org/x/crypto/bcrypt"
2018-05-27 09:36:35 +00:00
)
2017-06-25 09:56:39 +00:00
2018-05-28 06:27:12 +00:00
// TODO: Write more authentication tests
2017-11-11 04:06:16 +00:00
var Auth AuthInt
2017-09-03 04:50:31 +00:00
2018-05-27 09:36:35 +00:00
const SaltLength int = 32
const SessionLength int = 80
2017-09-03 04:50:31 +00:00
// ErrMismatchedHashAndPassword is thrown whenever a hash doesn't match it's unhashed password
2017-06-25 09:56:39 +00:00
var ErrMismatchedHashAndPassword = bcrypt . ErrMismatchedHashAndPassword
2017-10-21 00:27:47 +00:00
// nolint
2018-05-27 09:36:35 +00:00
var ErrHashNotExist = errors . New ( "We don't recognise that hashing algorithm" )
var ErrTooFewHashParams = errors . New ( "You haven't provided enough hash parameters" )
2017-09-03 04:50:31 +00:00
// ErrPasswordTooLong is silly, but we don't want bcrypt to bork on us
var ErrPasswordTooLong = errors . New ( "The password you selected is too long" )
2017-10-21 00:27:47 +00:00
var ErrWrongPassword = errors . New ( "That's not the correct password." )
2018-06-17 07:28:18 +00:00
var ErrBadMFAToken = errors . New ( "I'm not sure where you got that from, but that's not a valid 2FA token" )
var ErrWrongMFAToken = errors . New ( "That 2FA token isn't correct" )
2019-03-11 08:47:45 +00:00
var ErrNoMFAToken = errors . New ( "This user doesn't have 2FA setup" )
2017-10-21 00:27:47 +00:00
var ErrSecretError = errors . New ( "There was a glitch in the system. Please contact your local administrator." )
var ErrNoUserByName = errors . New ( "We couldn't find an account with that username." )
2018-05-27 09:36:35 +00:00
var DefaultHashAlgo = "bcrypt" // Override this in the configuration file, not here
//func(realPassword string, password string, salt string) (err error)
var CheckPasswordFuncs = map [ string ] func ( string , string , string ) error {
2022-02-21 03:32:53 +00:00
"bcrypt" : BcryptCheckPassword ,
//"argon2": Argon2CheckPassword,
2018-05-27 09:36:35 +00:00
}
//func(password string) (hashedPassword string, salt string, err error)
var GeneratePasswordFuncs = map [ string ] func ( string ) ( string , string , error ) {
2022-02-21 03:32:53 +00:00
"bcrypt" : BcryptGeneratePassword ,
//"argon2": Argon2GeneratePassword,
2018-05-27 09:36:35 +00:00
}
2018-07-13 11:27:58 +00:00
// TODO: Redirect 2b to bcrypt too?
2018-05-27 09:36:35 +00:00
var HashPrefixes = map [ string ] string {
2022-02-21 03:32:53 +00:00
"$2a$" : "bcrypt" ,
//"argon2$": "argon2",
2018-05-27 09:36:35 +00:00
}
2017-09-03 04:50:31 +00:00
2017-11-11 04:06:16 +00:00
// AuthInt is the main authentication interface.
type AuthInt interface {
2022-02-21 03:32:53 +00:00
Authenticate ( name , password string ) ( uid int , err error , requiresExtraAuth bool )
ValidateMFAToken ( mfaToken string , uid int ) error
Logout ( w http . ResponseWriter , uid int )
ForceLogout ( uid int ) error
SetCookies ( w http . ResponseWriter , uid int , session string )
SetProvisionalCookies ( w http . ResponseWriter , uid int , session , signedSession string ) // To avoid logging someone in until they've passed the MFA check
GetCookies ( r * http . Request ) ( uid int , session string , err error )
SessionCheck ( w http . ResponseWriter , r * http . Request ) ( u * User , halt bool )
CreateSession ( uid int ) ( session string , err error )
CreateProvisionalSession ( uid int ) ( provSession , signedSession string , err error ) // To avoid logging someone in until they've passed the MFA check
2017-06-25 09:56:39 +00:00
}
2017-09-03 04:50:31 +00:00
// DefaultAuth is the default authenticator used by Gosora, may be swapped with an alternate authenticator in some situations. E.g. To support LDAP.
type DefaultAuth struct {
2022-02-21 03:32:53 +00:00
login * sql . Stmt
logout * sql . Stmt
updateSession * sql . Stmt
2017-06-25 09:56:39 +00:00
}
2017-09-03 04:50:31 +00:00
// NewDefaultAuth is a factory for spitting out DefaultAuths
2017-11-11 04:06:16 +00:00
func NewDefaultAuth ( ) ( * DefaultAuth , error ) {
2022-02-21 03:32:53 +00:00
acc := qgen . NewAcc ( )
return & DefaultAuth {
login : acc . Select ( "users" ) . Columns ( "uid, password, salt" ) . Where ( "name = ?" ) . Prepare ( ) ,
logout : acc . Update ( "users" ) . Set ( "session = ''" ) . Where ( "uid = ?" ) . Prepare ( ) ,
updateSession : acc . Update ( "users" ) . Set ( "session = ?" ) . Where ( "uid = ?" ) . Prepare ( ) ,
} , acc . FirstError ( )
2017-06-25 09:56:39 +00:00
}
2017-09-03 04:50:31 +00:00
// Authenticate checks if a specific username and password is valid and returns the UID for the corresponding user, if so. Otherwise, a user safe error.
2018-06-17 07:28:18 +00:00
// IF MFA is enabled, then pass it back a flag telling the caller that authentication isn't complete yet
2018-05-28 06:27:12 +00:00
// TODO: Find a better way of handling errors we don't want to reach the user
2020-07-14 21:50:29 +00:00
func ( auth * DefaultAuth ) Authenticate ( name , password string ) ( uid int , err error , requiresExtraAuth bool ) {
2022-02-21 03:32:53 +00:00
var realPassword , salt string
err = auth . login . QueryRow ( name ) . Scan ( & uid , & realPassword , & salt )
if err == ErrNoRows {
return 0 , ErrNoUserByName , false
} else if err != nil {
LogError ( err )
return 0 , ErrSecretError , false
}
err = CheckPassword ( realPassword , password , salt )
if err == ErrMismatchedHashAndPassword {
return 0 , ErrWrongPassword , false
} else if err != nil {
LogError ( err )
return 0 , ErrSecretError , false
}
_ , err = MFAstore . Get ( uid )
if err != sql . ErrNoRows && err != nil {
LogError ( err )
return 0 , ErrSecretError , false
}
if err != ErrNoRows {
return uid , nil , true
}
return uid , nil , false
2018-06-17 07:28:18 +00:00
}
func ( auth * DefaultAuth ) ValidateMFAToken ( mfaToken string , uid int ) error {
2022-02-21 03:32:53 +00:00
mfaItem , err := MFAstore . Get ( uid )
if err != sql . ErrNoRows && err != nil {
LogError ( err )
return ErrSecretError
}
if err == ErrNoRows {
return ErrNoMFAToken
}
ok , err := VerifyGAuthToken ( mfaItem . Secret , mfaToken )
if err != nil {
return ErrBadMFAToken
}
if ok {
return nil
}
for i , scratch := range mfaItem . Scratch {
if subtle . ConstantTimeCompare ( [ ] byte ( scratch ) , [ ] byte ( mfaToken ) ) == 1 {
err = mfaItem . BurnScratch ( i )
if err != nil {
LogError ( err )
return ErrSecretError
}
return nil
}
}
return ErrWrongMFAToken
2017-06-25 09:56:39 +00:00
}
2017-09-03 04:50:31 +00:00
// ForceLogout logs the user out of every computer, not just the one they logged out of
2017-06-25 09:56:39 +00:00
func ( auth * DefaultAuth ) ForceLogout ( uid int ) error {
2022-02-21 03:32:53 +00:00
_ , err := auth . logout . Exec ( uid )
if err != nil {
LogError ( err )
return ErrSecretError
}
// Flush the user out of the cache
if uc := Users . GetCache ( ) ; uc != nil {
uc . Remove ( uid )
}
return nil
2017-06-25 09:56:39 +00:00
}
2018-06-29 04:14:51 +00:00
func setCookie ( w http . ResponseWriter , cookie * http . Cookie , sameSite string ) {
2022-02-21 03:32:53 +00:00
if v := cookie . String ( ) ; v != "" {
switch sameSite {
case "lax" :
v = v + "; SameSite=lax"
case "strict" :
v = v + "; SameSite"
}
w . Header ( ) . Add ( "Set-Cookie" , v )
}
2018-06-29 04:14:51 +00:00
}
2018-06-30 03:40:50 +00:00
func deleteCookie ( w http . ResponseWriter , cookie * http . Cookie ) {
2022-02-21 03:32:53 +00:00
cookie . MaxAge = - 1
http . SetCookie ( w , cookie )
2018-06-30 03:40:50 +00:00
}
2017-09-03 04:50:31 +00:00
// Logout logs you out of the computer you requested the logout for, but not the other computers you're logged in with
2017-06-25 09:56:39 +00:00
func ( auth * DefaultAuth ) Logout ( w http . ResponseWriter , _ int ) {
2022-02-21 03:32:53 +00:00
cookie := http . Cookie { Name : "uid" , Value : "" , Path : "/" }
deleteCookie ( w , & cookie )
cookie = http . Cookie { Name : "session" , Value : "" , Path : "/" }
deleteCookie ( w , & cookie )
2017-06-25 09:56:39 +00:00
}
2017-09-10 16:57:22 +00:00
// TODO: Set the cookie domain
2017-10-21 00:27:47 +00:00
// SetCookies sets the two cookies required for the current user to be recognised as a specific user in future requests
2017-06-25 09:56:39 +00:00
func ( auth * DefaultAuth ) SetCookies ( w http . ResponseWriter , uid int , session string ) {
2022-02-21 03:32:53 +00:00
cookie := http . Cookie { Name : "uid" , Value : strconv . Itoa ( uid ) , Path : "/" , MaxAge : int ( Year ) }
setCookie ( w , & cookie , "lax" )
cookie = http . Cookie { Name : "session" , Value : session , Path : "/" , MaxAge : int ( Year ) }
setCookie ( w , & cookie , "lax" )
2017-06-25 09:56:39 +00:00
}
2018-06-17 07:28:18 +00:00
// TODO: Set the cookie domain
// SetProvisionalCookies sets the two cookies required for guests to be recognised as having passed the initial login but not having passed the additional checks (e.g. multi-factor authentication)
2020-07-14 21:50:29 +00:00
func ( auth * DefaultAuth ) SetProvisionalCookies ( w http . ResponseWriter , uid int , provSession , signedSession string ) {
2022-02-21 03:32:53 +00:00
cookie := http . Cookie { Name : "uid" , Value : strconv . Itoa ( uid ) , Path : "/" , MaxAge : int ( Year ) }
setCookie ( w , & cookie , "lax" )
cookie = http . Cookie { Name : "provSession" , Value : provSession , Path : "/" , MaxAge : int ( Year ) }
setCookie ( w , & cookie , "lax" )
cookie = http . Cookie { Name : "signedSession" , Value : signedSession , Path : "/" , MaxAge : int ( Year ) }
setCookie ( w , & cookie , "lax" )
2018-06-17 07:28:18 +00:00
}
Added Quick Topic.
Added Attachments.
Added Attachment Media Embeds.
Renamed a load of *Store and *Cache methods to reduce the amount of unneccesary typing.
Added petabytes as a unit and cleaned up a few of the friendly units.
Refactored the username change logic to make it easier to maintain.
Refactored the avatar change logic to make it easier to maintain.
Shadow now uses CSS Variables for most of it's colours. We have plans to transpile this to support older browsers later on!
Snuck some CSS Variables into Tempra Conflux.
Added the GroupCache interface to MemoryGroupStore.
Added the Length method to MemoryGroupStore.
Added support for a site short name.
Added the UploadFiles permission.
Renamed more functions.
Fixed the background for the left gutter on the postbit for Tempra Simple and Shadow.
Added support for if statements operating on int8, int16, int32, int32, int64, uint, uint8, uint16, uint32, uint64, float32, and float64 for the template compiler.
Added support for if statements operating on slices and maps for the template compiler.
Fixed a security exploit in reply editing.
Fixed a bug in the URL detector in the parser where it couldn't find URLs with non-standard ports.
Fixed buttons having blue outlines on focus on Shadow.
Refactored the topic creation logic to make it easier to maintain.
Made a few responsive fixes, but there's still more to do in the following commits!
2017-10-05 10:20:28 +00:00
// GetCookies fetches the current user's session cookies
Added the Social Groups plugin. This is still under construction.
Made a few improvements to the ForumStore, including bringing it's API closer in line with the other datastores, adding stubs for future subforum functionality, and improving efficiency in a few places.
The auth interface now handles all the authentication stuff.
Renamed the debug config variable to debug_mode.
Added the PluginPerms API.
Internal Errors will now dump the stack trace in the console.
Added support for installable plugins.
Refactored the routing logic so that the router now handles the common PreRoute logic(exc. /static/)
Added the CreateTable method to the query generator. It might need some tweaking to better support other database systems.
Added the same CreateTable method to the query builder.
Began work on PostgreSQL support.
Added the string-string hook type
Added the pre_render hook type.
Added the ParentID and ParentType fields to forums.
Added the get_forum_url_prefix function.
Added a more generic build_slug function.
Added the get_topic_url_prefix function.
Added the override_perms and override_forum_perms functions for bulk setting and unsetting permissions.
Added more ExtData fields in a few structs and removed them on the Perms struct as the PluginPerms API supersedes them there.
Plugins can now see the router instance.
The plugin initialisation handlers can now throw errors.
Plugins are now initialised after all the forum's subsystems are.
Refactored the unit test logic. For instance, we now use the proper .Log method rather than fmt.Println in many cases.
Sorry, we'll have to break Github's generated file detection, as the build instructions aren't working, unless I put them at the top, and they're far, far more important than getting Github to recognise the generated code as generated code.
Fixed an issue with mysql.go's _init_database() overwriting the dbpassword variable. Not a huge issue, but it is a "gotcha" for those not expecting a ':' at the start.
Fixed an issue with forum creation where the forum permissions didn't get cached.
Fixed a bug in plugin_bbcode where negative numbers in rand would crash Gosora.
Made the outputs of plugin_markdown and plugin_bbcode more compliant with the tests.
Revamped the phrase system to make it easier for us to add language pack related features in the future.
Added the WidgetMenu widget type.
Revamped the theme again. I'm experimenting to see which approach I like most.
- Excuse the little W3C rage. Some things about CSS drive me crazy :p
Tests:
Added 22 bbcode_full_parse tests.
Added 19 bbcode_regex_parse tests.
Added 27 markdown_parse tests.
Added four UserStore tests. More to come when the test database functionality is added.
Added 18 name_to_slug tests.
Hooks:
Added the pre_render hook.
Added the pre_render_forum_list hook.
Added the pre_render_view_forum hook.
Added the pre_render_topic_list hook.
Added the pre_render_view_topic hook.
Added the pre_render_profile hook.
Added the pre_render_custom_page hook.
Added the pre_render_overview hook.
Added the pre_render_create_topic hook.
Added the pre_render_account_own_edit_critical hook.
Added the pre_render_account_own_edit_avatar hook.
Added the pre_render_account_own_edit_username hook.
Added the pre_render_account_own_edit_email hook.
Added the pre_render_login hook.
Added the pre_render_register hook.
Added the pre_render_ban hook.
Added the pre_render_panel_dashboard hook.
Added the pre_render_panel_forums hook.
Added the pre_render_panel_delete_forum hook.
Added the pre_render_panel_edit_forum hook.
Added the pre_render_panel_settings hook.
Added the pre_render_panel_setting hook.
Added the pre_render_panel_plugins hook.
Added the pre_render_panel_users hook.
Added the pre_render_panel_edit_user hook.
Added the pre_render_panel_groups hook.
Added the pre_render_panel_edit_group hook.
Added the pre_render_panel_edit_group_perms hook.
Added the pre_render_panel_themes hook.
Added the pre_render_panel_mod_log hook.
Added the pre_render_error hook.
Added the pre_render_security_error hook.
Added the create_group_preappend hook.
Added the intercept_build_widgets hook.
Added the simple_forum_check_pre_perms hook.
Added the forum_check_pre_perms hook.
2017-07-09 12:06:04 +00:00
func ( auth * DefaultAuth ) GetCookies ( r * http . Request ) ( uid int , session string , err error ) {
2022-02-21 03:32:53 +00:00
// Are there any session cookies..?
cookie , err := r . Cookie ( "uid" )
if err != nil {
return 0 , "" , err
}
uid , err = strconv . Atoi ( cookie . Value )
if err != nil {
return 0 , "" , err
}
cookie , err = r . Cookie ( "session" )
if err != nil {
return 0 , "" , err
}
return uid , cookie . Value , err
Added the Social Groups plugin. This is still under construction.
Made a few improvements to the ForumStore, including bringing it's API closer in line with the other datastores, adding stubs for future subforum functionality, and improving efficiency in a few places.
The auth interface now handles all the authentication stuff.
Renamed the debug config variable to debug_mode.
Added the PluginPerms API.
Internal Errors will now dump the stack trace in the console.
Added support for installable plugins.
Refactored the routing logic so that the router now handles the common PreRoute logic(exc. /static/)
Added the CreateTable method to the query generator. It might need some tweaking to better support other database systems.
Added the same CreateTable method to the query builder.
Began work on PostgreSQL support.
Added the string-string hook type
Added the pre_render hook type.
Added the ParentID and ParentType fields to forums.
Added the get_forum_url_prefix function.
Added a more generic build_slug function.
Added the get_topic_url_prefix function.
Added the override_perms and override_forum_perms functions for bulk setting and unsetting permissions.
Added more ExtData fields in a few structs and removed them on the Perms struct as the PluginPerms API supersedes them there.
Plugins can now see the router instance.
The plugin initialisation handlers can now throw errors.
Plugins are now initialised after all the forum's subsystems are.
Refactored the unit test logic. For instance, we now use the proper .Log method rather than fmt.Println in many cases.
Sorry, we'll have to break Github's generated file detection, as the build instructions aren't working, unless I put them at the top, and they're far, far more important than getting Github to recognise the generated code as generated code.
Fixed an issue with mysql.go's _init_database() overwriting the dbpassword variable. Not a huge issue, but it is a "gotcha" for those not expecting a ':' at the start.
Fixed an issue with forum creation where the forum permissions didn't get cached.
Fixed a bug in plugin_bbcode where negative numbers in rand would crash Gosora.
Made the outputs of plugin_markdown and plugin_bbcode more compliant with the tests.
Revamped the phrase system to make it easier for us to add language pack related features in the future.
Added the WidgetMenu widget type.
Revamped the theme again. I'm experimenting to see which approach I like most.
- Excuse the little W3C rage. Some things about CSS drive me crazy :p
Tests:
Added 22 bbcode_full_parse tests.
Added 19 bbcode_regex_parse tests.
Added 27 markdown_parse tests.
Added four UserStore tests. More to come when the test database functionality is added.
Added 18 name_to_slug tests.
Hooks:
Added the pre_render hook.
Added the pre_render_forum_list hook.
Added the pre_render_view_forum hook.
Added the pre_render_topic_list hook.
Added the pre_render_view_topic hook.
Added the pre_render_profile hook.
Added the pre_render_custom_page hook.
Added the pre_render_overview hook.
Added the pre_render_create_topic hook.
Added the pre_render_account_own_edit_critical hook.
Added the pre_render_account_own_edit_avatar hook.
Added the pre_render_account_own_edit_username hook.
Added the pre_render_account_own_edit_email hook.
Added the pre_render_login hook.
Added the pre_render_register hook.
Added the pre_render_ban hook.
Added the pre_render_panel_dashboard hook.
Added the pre_render_panel_forums hook.
Added the pre_render_panel_delete_forum hook.
Added the pre_render_panel_edit_forum hook.
Added the pre_render_panel_settings hook.
Added the pre_render_panel_setting hook.
Added the pre_render_panel_plugins hook.
Added the pre_render_panel_users hook.
Added the pre_render_panel_edit_user hook.
Added the pre_render_panel_groups hook.
Added the pre_render_panel_edit_group hook.
Added the pre_render_panel_edit_group_perms hook.
Added the pre_render_panel_themes hook.
Added the pre_render_panel_mod_log hook.
Added the pre_render_error hook.
Added the pre_render_security_error hook.
Added the create_group_preappend hook.
Added the intercept_build_widgets hook.
Added the simple_forum_check_pre_perms hook.
Added the forum_check_pre_perms hook.
2017-07-09 12:06:04 +00:00
}
Added Quick Topic.
Added Attachments.
Added Attachment Media Embeds.
Renamed a load of *Store and *Cache methods to reduce the amount of unneccesary typing.
Added petabytes as a unit and cleaned up a few of the friendly units.
Refactored the username change logic to make it easier to maintain.
Refactored the avatar change logic to make it easier to maintain.
Shadow now uses CSS Variables for most of it's colours. We have plans to transpile this to support older browsers later on!
Snuck some CSS Variables into Tempra Conflux.
Added the GroupCache interface to MemoryGroupStore.
Added the Length method to MemoryGroupStore.
Added support for a site short name.
Added the UploadFiles permission.
Renamed more functions.
Fixed the background for the left gutter on the postbit for Tempra Simple and Shadow.
Added support for if statements operating on int8, int16, int32, int32, int64, uint, uint8, uint16, uint32, uint64, float32, and float64 for the template compiler.
Added support for if statements operating on slices and maps for the template compiler.
Fixed a security exploit in reply editing.
Fixed a bug in the URL detector in the parser where it couldn't find URLs with non-standard ports.
Fixed buttons having blue outlines on focus on Shadow.
Refactored the topic creation logic to make it easier to maintain.
Made a few responsive fixes, but there's still more to do in the following commits!
2017-10-05 10:20:28 +00:00
// SessionCheck checks if a user has session cookies and whether they're valid
Added the Social Groups plugin. This is still under construction.
Made a few improvements to the ForumStore, including bringing it's API closer in line with the other datastores, adding stubs for future subforum functionality, and improving efficiency in a few places.
The auth interface now handles all the authentication stuff.
Renamed the debug config variable to debug_mode.
Added the PluginPerms API.
Internal Errors will now dump the stack trace in the console.
Added support for installable plugins.
Refactored the routing logic so that the router now handles the common PreRoute logic(exc. /static/)
Added the CreateTable method to the query generator. It might need some tweaking to better support other database systems.
Added the same CreateTable method to the query builder.
Began work on PostgreSQL support.
Added the string-string hook type
Added the pre_render hook type.
Added the ParentID and ParentType fields to forums.
Added the get_forum_url_prefix function.
Added a more generic build_slug function.
Added the get_topic_url_prefix function.
Added the override_perms and override_forum_perms functions for bulk setting and unsetting permissions.
Added more ExtData fields in a few structs and removed them on the Perms struct as the PluginPerms API supersedes them there.
Plugins can now see the router instance.
The plugin initialisation handlers can now throw errors.
Plugins are now initialised after all the forum's subsystems are.
Refactored the unit test logic. For instance, we now use the proper .Log method rather than fmt.Println in many cases.
Sorry, we'll have to break Github's generated file detection, as the build instructions aren't working, unless I put them at the top, and they're far, far more important than getting Github to recognise the generated code as generated code.
Fixed an issue with mysql.go's _init_database() overwriting the dbpassword variable. Not a huge issue, but it is a "gotcha" for those not expecting a ':' at the start.
Fixed an issue with forum creation where the forum permissions didn't get cached.
Fixed a bug in plugin_bbcode where negative numbers in rand would crash Gosora.
Made the outputs of plugin_markdown and plugin_bbcode more compliant with the tests.
Revamped the phrase system to make it easier for us to add language pack related features in the future.
Added the WidgetMenu widget type.
Revamped the theme again. I'm experimenting to see which approach I like most.
- Excuse the little W3C rage. Some things about CSS drive me crazy :p
Tests:
Added 22 bbcode_full_parse tests.
Added 19 bbcode_regex_parse tests.
Added 27 markdown_parse tests.
Added four UserStore tests. More to come when the test database functionality is added.
Added 18 name_to_slug tests.
Hooks:
Added the pre_render hook.
Added the pre_render_forum_list hook.
Added the pre_render_view_forum hook.
Added the pre_render_topic_list hook.
Added the pre_render_view_topic hook.
Added the pre_render_profile hook.
Added the pre_render_custom_page hook.
Added the pre_render_overview hook.
Added the pre_render_create_topic hook.
Added the pre_render_account_own_edit_critical hook.
Added the pre_render_account_own_edit_avatar hook.
Added the pre_render_account_own_edit_username hook.
Added the pre_render_account_own_edit_email hook.
Added the pre_render_login hook.
Added the pre_render_register hook.
Added the pre_render_ban hook.
Added the pre_render_panel_dashboard hook.
Added the pre_render_panel_forums hook.
Added the pre_render_panel_delete_forum hook.
Added the pre_render_panel_edit_forum hook.
Added the pre_render_panel_settings hook.
Added the pre_render_panel_setting hook.
Added the pre_render_panel_plugins hook.
Added the pre_render_panel_users hook.
Added the pre_render_panel_edit_user hook.
Added the pre_render_panel_groups hook.
Added the pre_render_panel_edit_group hook.
Added the pre_render_panel_edit_group_perms hook.
Added the pre_render_panel_themes hook.
Added the pre_render_panel_mod_log hook.
Added the pre_render_error hook.
Added the pre_render_security_error hook.
Added the create_group_preappend hook.
Added the intercept_build_widgets hook.
Added the simple_forum_check_pre_perms hook.
Added the forum_check_pre_perms hook.
2017-07-09 12:06:04 +00:00
func ( auth * DefaultAuth ) SessionCheck ( w http . ResponseWriter , r * http . Request ) ( user * User , halt bool ) {
2022-02-21 03:32:53 +00:00
uid , session , err := auth . GetCookies ( r )
if err != nil {
return & GuestUser , false
}
// Is this session valid..?
user , err = Users . Get ( uid )
if err == ErrNoRows {
return & GuestUser , false
} else if err != nil {
InternalError ( err , w , r )
return & GuestUser , true
}
// We need to do a constant time compare, otherwise someone might be able to deduce the session character by character based on how long it takes to do the comparison. Change this at your own peril.
if user . Session == "" || subtle . ConstantTimeCompare ( [ ] byte ( session ) , [ ] byte ( user . Session ) ) != 1 {
return & GuestUser , false
}
return user , false
Added the Social Groups plugin. This is still under construction.
Made a few improvements to the ForumStore, including bringing it's API closer in line with the other datastores, adding stubs for future subforum functionality, and improving efficiency in a few places.
The auth interface now handles all the authentication stuff.
Renamed the debug config variable to debug_mode.
Added the PluginPerms API.
Internal Errors will now dump the stack trace in the console.
Added support for installable plugins.
Refactored the routing logic so that the router now handles the common PreRoute logic(exc. /static/)
Added the CreateTable method to the query generator. It might need some tweaking to better support other database systems.
Added the same CreateTable method to the query builder.
Began work on PostgreSQL support.
Added the string-string hook type
Added the pre_render hook type.
Added the ParentID and ParentType fields to forums.
Added the get_forum_url_prefix function.
Added a more generic build_slug function.
Added the get_topic_url_prefix function.
Added the override_perms and override_forum_perms functions for bulk setting and unsetting permissions.
Added more ExtData fields in a few structs and removed them on the Perms struct as the PluginPerms API supersedes them there.
Plugins can now see the router instance.
The plugin initialisation handlers can now throw errors.
Plugins are now initialised after all the forum's subsystems are.
Refactored the unit test logic. For instance, we now use the proper .Log method rather than fmt.Println in many cases.
Sorry, we'll have to break Github's generated file detection, as the build instructions aren't working, unless I put them at the top, and they're far, far more important than getting Github to recognise the generated code as generated code.
Fixed an issue with mysql.go's _init_database() overwriting the dbpassword variable. Not a huge issue, but it is a "gotcha" for those not expecting a ':' at the start.
Fixed an issue with forum creation where the forum permissions didn't get cached.
Fixed a bug in plugin_bbcode where negative numbers in rand would crash Gosora.
Made the outputs of plugin_markdown and plugin_bbcode more compliant with the tests.
Revamped the phrase system to make it easier for us to add language pack related features in the future.
Added the WidgetMenu widget type.
Revamped the theme again. I'm experimenting to see which approach I like most.
- Excuse the little W3C rage. Some things about CSS drive me crazy :p
Tests:
Added 22 bbcode_full_parse tests.
Added 19 bbcode_regex_parse tests.
Added 27 markdown_parse tests.
Added four UserStore tests. More to come when the test database functionality is added.
Added 18 name_to_slug tests.
Hooks:
Added the pre_render hook.
Added the pre_render_forum_list hook.
Added the pre_render_view_forum hook.
Added the pre_render_topic_list hook.
Added the pre_render_view_topic hook.
Added the pre_render_profile hook.
Added the pre_render_custom_page hook.
Added the pre_render_overview hook.
Added the pre_render_create_topic hook.
Added the pre_render_account_own_edit_critical hook.
Added the pre_render_account_own_edit_avatar hook.
Added the pre_render_account_own_edit_username hook.
Added the pre_render_account_own_edit_email hook.
Added the pre_render_login hook.
Added the pre_render_register hook.
Added the pre_render_ban hook.
Added the pre_render_panel_dashboard hook.
Added the pre_render_panel_forums hook.
Added the pre_render_panel_delete_forum hook.
Added the pre_render_panel_edit_forum hook.
Added the pre_render_panel_settings hook.
Added the pre_render_panel_setting hook.
Added the pre_render_panel_plugins hook.
Added the pre_render_panel_users hook.
Added the pre_render_panel_edit_user hook.
Added the pre_render_panel_groups hook.
Added the pre_render_panel_edit_group hook.
Added the pre_render_panel_edit_group_perms hook.
Added the pre_render_panel_themes hook.
Added the pre_render_panel_mod_log hook.
Added the pre_render_error hook.
Added the pre_render_security_error hook.
Added the create_group_preappend hook.
Added the intercept_build_widgets hook.
Added the simple_forum_check_pre_perms hook.
Added the forum_check_pre_perms hook.
2017-07-09 12:06:04 +00:00
}
Added Quick Topic.
Added Attachments.
Added Attachment Media Embeds.
Renamed a load of *Store and *Cache methods to reduce the amount of unneccesary typing.
Added petabytes as a unit and cleaned up a few of the friendly units.
Refactored the username change logic to make it easier to maintain.
Refactored the avatar change logic to make it easier to maintain.
Shadow now uses CSS Variables for most of it's colours. We have plans to transpile this to support older browsers later on!
Snuck some CSS Variables into Tempra Conflux.
Added the GroupCache interface to MemoryGroupStore.
Added the Length method to MemoryGroupStore.
Added support for a site short name.
Added the UploadFiles permission.
Renamed more functions.
Fixed the background for the left gutter on the postbit for Tempra Simple and Shadow.
Added support for if statements operating on int8, int16, int32, int32, int64, uint, uint8, uint16, uint32, uint64, float32, and float64 for the template compiler.
Added support for if statements operating on slices and maps for the template compiler.
Fixed a security exploit in reply editing.
Fixed a bug in the URL detector in the parser where it couldn't find URLs with non-standard ports.
Fixed buttons having blue outlines on focus on Shadow.
Refactored the topic creation logic to make it easier to maintain.
Made a few responsive fixes, but there's still more to do in the following commits!
2017-10-05 10:20:28 +00:00
// CreateSession generates a new session to allow a remote client to stay logged in as a specific user
2017-09-03 04:50:31 +00:00
func ( auth * DefaultAuth ) CreateSession ( uid int ) ( session string , err error ) {
2022-02-21 03:32:53 +00:00
session , err = GenerateSafeString ( SessionLength )
if err != nil {
return "" , err
}
_ , err = auth . updateSession . Exec ( session , uid )
if err != nil {
return "" , err
}
// Flush the user data from the cache
ucache := Users . GetCache ( )
if ucache != nil {
ucache . Remove ( uid )
}
return session , nil
2017-06-25 09:56:39 +00:00
}
2018-05-27 09:36:35 +00:00
2020-07-14 21:50:29 +00:00
func ( auth * DefaultAuth ) CreateProvisionalSession ( uid int ) ( provSession , signedSession string , err error ) {
2022-02-21 03:32:53 +00:00
provSession , err = GenerateSafeString ( SessionLength )
if err != nil {
return "" , "" , err
}
h := sha256 . New ( )
h . Write ( [ ] byte ( SessionSigningKeyBox . Load ( ) . ( string ) ) )
h . Write ( [ ] byte ( provSession ) )
h . Write ( [ ] byte ( strconv . Itoa ( uid ) ) )
return provSession , hex . EncodeToString ( h . Sum ( nil ) ) , nil
2018-06-17 07:28:18 +00:00
}
2020-04-05 03:18:36 +00:00
func CheckPassword ( realPassword , password , salt string ) ( err error ) {
2022-02-21 03:32:53 +00:00
blasted := strings . Split ( realPassword , "$" )
prefix := blasted [ 0 ]
if len ( blasted ) > 1 {
prefix += "$" + blasted [ 1 ] + "$"
}
algo , ok := HashPrefixes [ prefix ]
if ! ok {
return ErrHashNotExist
}
checker := CheckPasswordFuncs [ algo ]
return checker ( realPassword , password , salt )
2018-05-27 09:36:35 +00:00
}
2020-04-05 03:18:36 +00:00
func GeneratePassword ( password string ) ( hash , salt string , err error ) {
2022-02-21 03:32:53 +00:00
gen , ok := GeneratePasswordFuncs [ DefaultHashAlgo ]
if ! ok {
return "" , "" , ErrHashNotExist
}
return gen ( password )
2018-05-27 09:36:35 +00:00
}
2020-04-05 03:18:36 +00:00
func BcryptCheckPassword ( realPassword , password , salt string ) ( err error ) {
2022-02-21 03:32:53 +00:00
return bcrypt . CompareHashAndPassword ( [ ] byte ( realPassword ) , [ ] byte ( password + salt ) )
2018-05-27 09:36:35 +00:00
}
// Note: The salt is in the hash, therefore the salt parameter is blank
2020-04-05 03:18:36 +00:00
func BcryptGeneratePassword ( password string ) ( hash , salt string , err error ) {
2022-02-21 03:32:53 +00:00
hashedPassword , err := bcrypt . GenerateFromPassword ( [ ] byte ( password ) , bcrypt . DefaultCost )
if err != nil {
return "" , "" , err
}
return string ( hashedPassword ) , salt , nil
2018-05-27 09:36:35 +00:00
}
/ * const (
2022-02-21 03:32:53 +00:00
argon2Time uint32 = 3
argon2Memory uint32 = 32 * 1024
argon2Threads uint8 = 4
argon2KeyLen uint32 = 32
2018-05-27 09:36:35 +00:00
)
2020-04-05 03:18:36 +00:00
func Argon2CheckPassword ( realPassword , password , salt string ) ( err error ) {
2022-02-21 03:32:53 +00:00
split := strings . Split ( realPassword , "$" )
// TODO: Better validation
if len ( split ) < 5 {
return ErrTooFewHashParams
}
realKey , _ := base64 . StdEncoding . DecodeString ( split [ len ( split ) - 1 ] )
time , _ := strconv . Atoi ( split [ 1 ] )
memory , _ := strconv . Atoi ( split [ 2 ] )
threads , _ := strconv . Atoi ( split [ 3 ] )
keyLen , _ := strconv . Atoi ( split [ 4 ] )
key := argon2 . Key ( [ ] byte ( password ) , [ ] byte ( salt ) , uint32 ( time ) , uint32 ( memory ) , uint8 ( threads ) , uint32 ( keyLen ) )
if subtle . ConstantTimeCompare ( realKey , key ) != 1 {
return ErrMismatchedHashAndPassword
}
return nil
2018-05-27 09:36:35 +00:00
}
2020-04-05 03:18:36 +00:00
func Argon2GeneratePassword ( password string ) ( hash , salt string , err error ) {
2022-02-21 03:32:53 +00:00
sbytes := make ( [ ] byte , SaltLength )
_ , err = rand . Read ( sbytes )
if err != nil {
return "" , "" , err
}
key := argon2 . Key ( [ ] byte ( password ) , sbytes , argon2Time , argon2Memory , argon2Threads , argon2KeyLen )
hash = base64 . StdEncoding . EncodeToString ( key )
return fmt . Sprintf ( "argon2$%d%d%d%d%s%s" , argon2Time , argon2Memory , argon2Threads , argon2KeyLen , salt , hash ) , string ( sbytes ) , nil
2018-05-27 09:36:35 +00:00
}
* /
2018-06-06 00:21:22 +00:00
2018-06-17 07:28:18 +00:00
// TODO: Test this with Google Authenticator proper
func FriendlyGAuthSecret ( secret string ) ( out string ) {
2022-02-21 03:32:53 +00:00
for i , char := range secret {
out += string ( char )
if ( i + 1 ) % 4 == 0 {
out += " "
}
}
return strings . TrimSpace ( out )
2018-06-17 07:28:18 +00:00
}
2018-06-06 00:21:22 +00:00
func GenerateGAuthSecret ( ) ( string , error ) {
2022-02-21 03:32:53 +00:00
return GenerateStd32SafeString ( 14 )
2018-06-06 00:21:22 +00:00
}
2020-04-05 03:18:36 +00:00
func VerifyGAuthToken ( secret , token string ) ( bool , error ) {
2022-02-21 03:32:53 +00:00
trueToken , err := gauth . GetTOTPToken ( secret )
return subtle . ConstantTimeCompare ( [ ] byte ( trueToken ) , [ ] byte ( token ) ) == 1 , err
2018-06-06 00:21:22 +00:00
}