Implement pin hardening

src/ZGoBackend.hs

@@ -6,6 +6,7 @@
 
 module ZGoBackend where
 
+import qualified BLAKE3 as BLK
 import Config
 import Control.Concurrent (forkIO, threadDelay)
 import Control.Exception (try)
@@ -14,6 +15,7 @@ import Control.Monad.IO.Class
 import Data.Aeson
 import Data.Array
 import qualified Data.Bson as B
+import qualified Data.ByteArray as BA
 import qualified Data.ByteString as BS
 import qualified Data.ByteString.Base64 as B64
 import qualified Data.ByteString.Char8 as C
@@ -426,12 +428,17 @@ addUser nodeUser nodePwd p db node (Just tx) = do
   when isNew $ do
     let newPin = unsafePerformIO (generatePin (fromIntegral $ blocktime tx))
     _ <- sendPin nodeUser nodePwd node (address tx) newPin
+    let pinHash =
+          BLK.hash
+            [ BA.pack . BS.unpack . C.pack . T.unpack $ newPin <> session tx :: BA.Bytes
+            ]
     insert_
       "users"
       [ "address" =: address tx
       , "session" =: session tx
       , "blocktime" =: blocktime tx
-      , "pin" =: newPin
+      , "pin" =:
+        (T.pack . show $ (pinHash :: BLK.Digest BLK.DEFAULT_DIGEST_LEN))
       , "validated" =: False
       ]
 

test/Spec.hs

@@ -521,7 +521,7 @@ main = do
                       ["expiration" =: ["$lt" =: now], "paid" =: True]
                       "owners"))
             res `shouldBe` []
-          xit "login txs are converted to users" $ \p -> do
+          it "login txs are converted to users" $ \p -> do
             let myTx =
                   ZGoTx
                     Nothing

zgotest.cfg

@@ -10,7 +10,7 @@ port = 3000
 tls = false
 certificate = "/path/to/cert.pem"
 key = "/path/to/key.pem"
-mailHost = "127.0.0.1"
-mailPort = 1025
-mailUser = "contact@zgo.cash"
-mailPwd = "uib3K8BkCPexl_wr5bYfrg"
+smtpHost = "127.0.0.1"
+smtpPort = 1025
+smtpUser = "contact@zgo.cash"
+smtpPwd = "uib3K8BkCPexl_wr5bYfrg"