Merge branch 'security'

This commit is contained in:
Rene Vergara 2023-01-27 11:18:15 -06:00
commit 0e50abffe9
Signed by: pitmutt
GPG key ID: 65122AD495A7F5B2
4 changed files with 29 additions and 9 deletions

View file

@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [Unreleased]
### Changed
- Implement `BLAKE3` for PIN hashing.
## [1.2.2] - 2023-01-25
### Fixed

View file

@ -6,6 +6,7 @@
module ZGoBackend where
import qualified BLAKE3 as BLK
import Config
import Control.Concurrent (forkIO, threadDelay)
import Control.Exception (try)
@ -14,6 +15,7 @@ import Control.Monad.IO.Class
import Data.Aeson
import Data.Array
import qualified Data.Bson as B
import qualified Data.ByteArray as BA
import qualified Data.ByteString as BS
import qualified Data.ByteString.Base64 as B64
import qualified Data.ByteString.Char8 as C
@ -426,12 +428,17 @@ addUser nodeUser nodePwd p db node (Just tx) = do
when isNew $ do
let newPin = unsafePerformIO (generatePin (fromIntegral $ blocktime tx))
_ <- sendPin nodeUser nodePwd node (address tx) newPin
let pinHash =
BLK.hash
[ BA.pack . BS.unpack . C.pack . T.unpack $ newPin <> session tx :: BA.Bytes
]
insert_
"users"
[ "address" =: address tx
, "session" =: session tx
, "blocktime" =: blocktime tx
, "pin" =: newPin
, "pin" =:
(T.pack . show $ (pinHash :: BLK.Digest BLK.DEFAULT_DIGEST_LEN))
, "validated" =: False
]
@ -790,6 +797,10 @@ routes pipe config = do
post "/api/validateuser" $ do
providedPin <- param "pin"
sess <- param "session"
let pinHash =
BLK.hash
[ BA.pack . BS.unpack . C.pack . T.unpack $ providedPin <> sess :: BA.Bytes
]
user <- liftAndCatchIO $ run (findUser sess)
case user of
Nothing -> status noContent204 --`debug` "No user match"
@ -798,7 +809,10 @@ routes pipe config = do
case parsedUser of
Nothing -> status noContent204 --`debug` "Couldn't parse user"
Just pUser -> do
let ans = upin pUser == T.pack providedPin
let ans =
upin pUser ==
(T.pack . show $
(pinHash :: BLK.Digest BLK.DEFAULT_DIGEST_LEN))
if ans
then do
liftAndCatchIO $ run (validateUser sess)

View file

@ -176,7 +176,7 @@ main = do
req <-
testGet
"/api/user"
[("session", Just "35bfb9c2-9ad2-4fe5-adda-99d63b8dcdcd")]
[("session", Just "35bfb9c2-9ad2-4fe5-adda-99d63b8dcdca")]
res <- httpJSON req
getResponseStatus (res :: Response A.Value) `shouldBe` ok200
it "returns 204 when no user" $ do
@ -190,8 +190,8 @@ main = do
req <-
testPost
"/api/validateuser"
[ ("session", Just "35bfb9c2-9ad2-4fe5-adda-99d63b8dcdcd")
, ("pin", Just "1234567")
[ ("session", Just "35bfb9c2-9ad2-4fe5-adda-99d63b8dcdca")
, ("pin", Just "8227514")
]
res <- httpLBS req
getResponseStatus res `shouldBe` accepted202

View file

@ -10,7 +10,7 @@ port = 3000
tls = false
certificate = "/path/to/cert.pem"
key = "/path/to/key.pem"
mailHost = "127.0.0.1"
mailPort = 1025
mailUser = "contact@zgo.cash"
mailPwd = "uib3K8BkCPexl_wr5bYfrg"
smtpHost = "127.0.0.1"
smtpPort = 1025
smtpUser = "contact@zgo.cash"
smtpPwd = "uib3K8BkCPexl_wr5bYfrg"