Compare commits

...

5 commits

Author SHA1 Message Date
9d6d000d27
Version bump 2023-01-27 11:19:35 -06:00
0e50abffe9
Merge branch 'security' 2023-01-27 11:18:15 -06:00
59ff5a29c7
Implement test 2023-01-27 11:15:03 -06:00
a17e8d6f2a
Implement BLAKE3 for PIN hashing 2023-01-27 11:01:05 -06:00
6d14ccd48a
Implement pin hardening 2023-01-26 12:13:17 -06:00
5 changed files with 30 additions and 10 deletions

View file

@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [1.2.3] - 2023-01-27
### Changed
- Implement `BLAKE3` for PIN hashing.
## [1.2.2] - 2023-01-25 ## [1.2.2] - 2023-01-25
### Fixed ### Fixed

View file

@ -1,5 +1,5 @@
name: zgo-backend name: zgo-backend
version: 1.2.2 version: 1.2.3
git: "https://git.vergara.tech/Vergara_Tech/zgo-backend" git: "https://git.vergara.tech/Vergara_Tech/zgo-backend"
license: BOSL license: BOSL
author: "Rene Vergara" author: "Rene Vergara"

View file

@ -6,6 +6,7 @@
module ZGoBackend where module ZGoBackend where
import qualified BLAKE3 as BLK
import Config import Config
import Control.Concurrent (forkIO, threadDelay) import Control.Concurrent (forkIO, threadDelay)
import Control.Exception (try) import Control.Exception (try)
@ -14,6 +15,7 @@ import Control.Monad.IO.Class
import Data.Aeson import Data.Aeson
import Data.Array import Data.Array
import qualified Data.Bson as B import qualified Data.Bson as B
import qualified Data.ByteArray as BA
import qualified Data.ByteString as BS import qualified Data.ByteString as BS
import qualified Data.ByteString.Base64 as B64 import qualified Data.ByteString.Base64 as B64
import qualified Data.ByteString.Char8 as C import qualified Data.ByteString.Char8 as C
@ -426,12 +428,17 @@ addUser nodeUser nodePwd p db node (Just tx) = do
when isNew $ do when isNew $ do
let newPin = unsafePerformIO (generatePin (fromIntegral $ blocktime tx)) let newPin = unsafePerformIO (generatePin (fromIntegral $ blocktime tx))
_ <- sendPin nodeUser nodePwd node (address tx) newPin _ <- sendPin nodeUser nodePwd node (address tx) newPin
let pinHash =
BLK.hash
[ BA.pack . BS.unpack . C.pack . T.unpack $ newPin <> session tx :: BA.Bytes
]
insert_ insert_
"users" "users"
[ "address" =: address tx [ "address" =: address tx
, "session" =: session tx , "session" =: session tx
, "blocktime" =: blocktime tx , "blocktime" =: blocktime tx
, "pin" =: newPin , "pin" =:
(T.pack . show $ (pinHash :: BLK.Digest BLK.DEFAULT_DIGEST_LEN))
, "validated" =: False , "validated" =: False
] ]
@ -790,6 +797,10 @@ routes pipe config = do
post "/api/validateuser" $ do post "/api/validateuser" $ do
providedPin <- param "pin" providedPin <- param "pin"
sess <- param "session" sess <- param "session"
let pinHash =
BLK.hash
[ BA.pack . BS.unpack . C.pack . T.unpack $ providedPin <> sess :: BA.Bytes
]
user <- liftAndCatchIO $ run (findUser sess) user <- liftAndCatchIO $ run (findUser sess)
case user of case user of
Nothing -> status noContent204 --`debug` "No user match" Nothing -> status noContent204 --`debug` "No user match"
@ -798,7 +809,10 @@ routes pipe config = do
case parsedUser of case parsedUser of
Nothing -> status noContent204 --`debug` "Couldn't parse user" Nothing -> status noContent204 --`debug` "Couldn't parse user"
Just pUser -> do Just pUser -> do
let ans = upin pUser == T.pack providedPin let ans =
upin pUser ==
(T.pack . show $
(pinHash :: BLK.Digest BLK.DEFAULT_DIGEST_LEN))
if ans if ans
then do then do
liftAndCatchIO $ run (validateUser sess) liftAndCatchIO $ run (validateUser sess)

View file

@ -176,7 +176,7 @@ main = do
req <- req <-
testGet testGet
"/api/user" "/api/user"
[("session", Just "35bfb9c2-9ad2-4fe5-adda-99d63b8dcdcd")] [("session", Just "35bfb9c2-9ad2-4fe5-adda-99d63b8dcdca")]
res <- httpJSON req res <- httpJSON req
getResponseStatus (res :: Response A.Value) `shouldBe` ok200 getResponseStatus (res :: Response A.Value) `shouldBe` ok200
it "returns 204 when no user" $ do it "returns 204 when no user" $ do
@ -190,8 +190,8 @@ main = do
req <- req <-
testPost testPost
"/api/validateuser" "/api/validateuser"
[ ("session", Just "35bfb9c2-9ad2-4fe5-adda-99d63b8dcdcd") [ ("session", Just "35bfb9c2-9ad2-4fe5-adda-99d63b8dcdca")
, ("pin", Just "1234567") , ("pin", Just "8227514")
] ]
res <- httpLBS req res <- httpLBS req
getResponseStatus res `shouldBe` accepted202 getResponseStatus res `shouldBe` accepted202

View file

@ -10,7 +10,7 @@ port = 3000
tls = false tls = false
certificate = "/path/to/cert.pem" certificate = "/path/to/cert.pem"
key = "/path/to/key.pem" key = "/path/to/key.pem"
mailHost = "127.0.0.1" smtpHost = "127.0.0.1"
mailPort = 1025 smtpPort = 1025
mailUser = "contact@zgo.cash" smtpUser = "contact@zgo.cash"
mailPwd = "uib3K8BkCPexl_wr5bYfrg" smtpPwd = "uib3K8BkCPexl_wr5bYfrg"