Compare commits

..

5 commits

Author SHA1 Message Date
9d6d000d27
Version bump 2023-01-27 11:19:35 -06:00
0e50abffe9
Merge branch 'security' 2023-01-27 11:18:15 -06:00
59ff5a29c7
Implement test 2023-01-27 11:15:03 -06:00
a17e8d6f2a
Implement BLAKE3 for PIN hashing 2023-01-27 11:01:05 -06:00
6d14ccd48a
Implement pin hardening 2023-01-26 12:13:17 -06:00
5 changed files with 30 additions and 10 deletions

View file

@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [1.2.3] - 2023-01-27
### Changed
- Implement `BLAKE3` for PIN hashing.
## [1.2.2] - 2023-01-25
### Fixed

View file

@ -1,5 +1,5 @@
name: zgo-backend
version: 1.2.2
version: 1.2.3
git: "https://git.vergara.tech/Vergara_Tech/zgo-backend"
license: BOSL
author: "Rene Vergara"

View file

@ -6,6 +6,7 @@
module ZGoBackend where
import qualified BLAKE3 as BLK
import Config
import Control.Concurrent (forkIO, threadDelay)
import Control.Exception (try)
@ -14,6 +15,7 @@ import Control.Monad.IO.Class
import Data.Aeson
import Data.Array
import qualified Data.Bson as B
import qualified Data.ByteArray as BA
import qualified Data.ByteString as BS
import qualified Data.ByteString.Base64 as B64
import qualified Data.ByteString.Char8 as C
@ -426,12 +428,17 @@ addUser nodeUser nodePwd p db node (Just tx) = do
when isNew $ do
let newPin = unsafePerformIO (generatePin (fromIntegral $ blocktime tx))
_ <- sendPin nodeUser nodePwd node (address tx) newPin
let pinHash =
BLK.hash
[ BA.pack . BS.unpack . C.pack . T.unpack $ newPin <> session tx :: BA.Bytes
]
insert_
"users"
[ "address" =: address tx
, "session" =: session tx
, "blocktime" =: blocktime tx
, "pin" =: newPin
, "pin" =:
(T.pack . show $ (pinHash :: BLK.Digest BLK.DEFAULT_DIGEST_LEN))
, "validated" =: False
]
@ -790,6 +797,10 @@ routes pipe config = do
post "/api/validateuser" $ do
providedPin <- param "pin"
sess <- param "session"
let pinHash =
BLK.hash
[ BA.pack . BS.unpack . C.pack . T.unpack $ providedPin <> sess :: BA.Bytes
]
user <- liftAndCatchIO $ run (findUser sess)
case user of
Nothing -> status noContent204 --`debug` "No user match"
@ -798,7 +809,10 @@ routes pipe config = do
case parsedUser of
Nothing -> status noContent204 --`debug` "Couldn't parse user"
Just pUser -> do
let ans = upin pUser == T.pack providedPin
let ans =
upin pUser ==
(T.pack . show $
(pinHash :: BLK.Digest BLK.DEFAULT_DIGEST_LEN))
if ans
then do
liftAndCatchIO $ run (validateUser sess)

View file

@ -176,7 +176,7 @@ main = do
req <-
testGet
"/api/user"
[("session", Just "35bfb9c2-9ad2-4fe5-adda-99d63b8dcdcd")]
[("session", Just "35bfb9c2-9ad2-4fe5-adda-99d63b8dcdca")]
res <- httpJSON req
getResponseStatus (res :: Response A.Value) `shouldBe` ok200
it "returns 204 when no user" $ do
@ -190,8 +190,8 @@ main = do
req <-
testPost
"/api/validateuser"
[ ("session", Just "35bfb9c2-9ad2-4fe5-adda-99d63b8dcdcd")
, ("pin", Just "1234567")
[ ("session", Just "35bfb9c2-9ad2-4fe5-adda-99d63b8dcdca")
, ("pin", Just "8227514")
]
res <- httpLBS req
getResponseStatus res `shouldBe` accepted202

View file

@ -10,7 +10,7 @@ port = 3000
tls = false
certificate = "/path/to/cert.pem"
key = "/path/to/key.pem"
mailHost = "127.0.0.1"
mailPort = 1025
mailUser = "contact@zgo.cash"
mailPwd = "uib3K8BkCPexl_wr5bYfrg"
smtpHost = "127.0.0.1"
smtpPort = 1025
smtpUser = "contact@zgo.cash"
smtpPwd = "uib3K8BkCPexl_wr5bYfrg"