Compare commits

..

No commits in common. "9564e9fa1840927a1c75b2961cca3e3e11d3fe17" and "42957547a9e0d72a168c9962a55e0b5cc45f60e5" have entirely different histories.

7 changed files with 7 additions and 32 deletions

View file

@ -4,12 +4,6 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [1.2.5] - 2023-02-01
### Fixed
- Replaced the PIN generation with the cryptographically-secure `crypto-rng`.
## [1.2.4] - 2023-01-30 ## [1.2.4] - 2023-01-30
### Changed ### Changed

View file

@ -1,5 +1,5 @@
name: zgo-backend name: zgo-backend
version: 1.2.5 version: 1.2.4
git: "https://git.vergara.tech/Vergara_Tech/zgo-backend" git: "https://git.vergara.tech/Vergara_Tech/zgo-backend"
license: BOSL license: BOSL
author: "Rene Vergara" author: "Rene Vergara"
@ -59,7 +59,6 @@ library:
- memory - memory
- ghc-prim - ghc-prim
- network - network
- crypto-rng
executables: executables:
zgo-backend-exe: zgo-backend-exe:

View file

@ -6,8 +6,6 @@ module User where
import Control.Monad import Control.Monad
import Control.Monad.IO.Class import Control.Monad.IO.Class
import Crypto.RNG
import Crypto.RNG.Utils
import Data.Aeson import Data.Aeson
import qualified Data.Bson as B import qualified Data.Bson as B
import Data.Maybe import Data.Maybe
@ -101,18 +99,12 @@ validateUser session =
(select ["session" =: session] "users") (select ["session" =: session] "users")
["$set" =: ["validated" =: True]] ["$set" =: ["validated" =: True]]
generatePin' :: Int -> IO T.Text generatePin :: Int -> IO T.Text
generatePin' s = do generatePin s = do
let g = mkStdGen s let g = mkStdGen s
pure $ pure $
T.pack (padLeft (show . head $ randomRs (1 :: Integer, 10000000) g) '0' 7) T.pack (padLeft (show . head $ randomRs (1 :: Integer, 10000000) g) '0' 7)
generatePin :: IO String
generatePin = do
rngState <- newCryptoRNGState
runCryptoRNGT rngState $
randomString 7 ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9']
-- | Helper function to pad a string to a given length -- | Helper function to pad a string to a given length
padLeft :: String -> Char -> Int -> String padLeft :: String -> Char -> Int -> String
padLeft s c m = padLeft s c m =

View file

@ -426,12 +426,11 @@ addUser _ _ _ _ _ Nothing = return () --`debug` "addUser got Nothing"
addUser nodeUser nodePwd p db node (Just tx) = do addUser nodeUser nodePwd p db node (Just tx) = do
isNew <- liftIO $ isUserNew p db tx isNew <- liftIO $ isUserNew p db tx
when isNew $ do when isNew $ do
newPin <- liftIO generatePin let newPin = unsafePerformIO (generatePin (fromIntegral $ blocktime tx))
_ <- sendPin nodeUser nodePwd node (address tx) (T.pack newPin) _ <- sendPin nodeUser nodePwd node (address tx) newPin
let pinHash = let pinHash =
BLK.hash BLK.hash
[ BA.pack . BS.unpack . C.pack . T.unpack $ [ BA.pack . BS.unpack . C.pack . T.unpack $ newPin <> session tx :: BA.Bytes
T.pack newPin <> session tx :: BA.Bytes
] ]
insert_ insert_
"users" "users"

View file

@ -45,7 +45,6 @@ extra-deps:
- git: https://github.com/reach-sh/haskell-hexstring.git - git: https://github.com/reach-sh/haskell-hexstring.git
commit: 085c16fb21b9f856a435a3faab980e7e0b319341 commit: 085c16fb21b9f856a435a3faab980e7e0b319341
- blake3-0.2@sha256:d1146b9a51ccfbb0532780778b6d016a614e3d44c05d8c1923dde9a8be869045,2448 - blake3-0.2@sha256:d1146b9a51ccfbb0532780778b6d016a614e3d44c05d8c1923dde9a8be869045,2448
- crypto-rng-0.3.0.1@sha256:04f4ae75943ecad8b794950985054130f272d65a588b6b6528f56df0bfedc4dc,1565
# Override default flag values for local packages and extra-deps # Override default flag values for local packages and extra-deps
# flags: {} # flags: {}

View file

@ -22,13 +22,6 @@ packages:
size: 1433 size: 1433
original: original:
hackage: blake3-0.2@sha256:d1146b9a51ccfbb0532780778b6d016a614e3d44c05d8c1923dde9a8be869045,2448 hackage: blake3-0.2@sha256:d1146b9a51ccfbb0532780778b6d016a614e3d44c05d8c1923dde9a8be869045,2448
- completed:
hackage: crypto-rng-0.3.0.1@sha256:04f4ae75943ecad8b794950985054130f272d65a588b6b6528f56df0bfedc4dc,1565
pantry-tree:
sha256: 1caccafe35d1ae3063f057c31188742a8e794f4f4e4530bab4019c0a514ee54f
size: 455
original:
hackage: crypto-rng-0.3.0.1@sha256:04f4ae75943ecad8b794950985054130f272d65a588b6b6528f56df0bfedc4dc,1565
snapshots: snapshots:
- completed: - completed:
sha256: bfafe5735ccb74527d754b1f9999ded72d7c3a6c3a88529449661431ccfbd6cc sha256: bfafe5735ccb74527d754b1f9999ded72d7c3a6c3a88529449661431ccfbd6cc

View file

@ -5,7 +5,7 @@ cabal-version: 1.12
-- see: https://github.com/sol/hpack -- see: https://github.com/sol/hpack
name: zgo-backend name: zgo-backend
version: 1.2.5 version: 1.2.3
synopsis: Haskell Back-end for the ZGo point-of-sale application synopsis: Haskell Back-end for the ZGo point-of-sale application
description: Please see the README at <https://git.vergara.tech/Vergara_Tech//zgo-backend#readme> description: Please see the README at <https://git.vergara.tech/Vergara_Tech//zgo-backend#readme>
category: Web category: Web
@ -51,7 +51,6 @@ library
, bytestring , bytestring
, configurator , configurator
, containers , containers
, crypto-rng
, ghc-prim , ghc-prim
, hexstring , hexstring
, http-conduit , http-conduit