From 62ebc38acc54335ed7c4b14551fae828efddc333 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@helsinki.at>
Date: Sat, 26 Dec 2015 09:58:34 +0100
Subject: session store now checks password


diff --git a/src/helsinki.at/rhimport/fetcher.go b/src/helsinki.at/rhimport/fetcher.go
index acb6592..81072eb 100644
--- a/src/helsinki.at/rhimport/fetcher.go
+++ b/src/helsinki.at/rhimport/fetcher.go
@@ -247,31 +247,14 @@ func fetcher_init() {
 }
 
 func checkPassword(ctx *ImportContext, result *FetchResult) (err error) {
-	cached := true
-
-	for {
-		res_ch := make(chan getPasswordResult)
-		req := getPasswordRequest{}
-		req.username = ctx.UserName
-		req.cached = cached
-		req.response = res_ch
-		ctx.rddb.getPasswordChan <- req
-
-		res := <-res_ch
-		if res.err != nil {
-			return res.err
-		}
-		if ctx.Password == res.password {
-			return nil
-		}
-		if cached {
-			cached = false
-		} else {
-			break
-		}
+	ok := false
+	if ok, err = ctx.rddb.CheckPassword(ctx.UserName, ctx.Password); err != nil {
+		return
+	}
+	if !ok {
+		result.ResponseCode = http.StatusUnauthorized
+		result.ErrorString = "invalid username and/or password"
 	}
-	result.ResponseCode = http.StatusUnauthorized
-	result.ErrorString = "invalid username and/or password"
 	return
 }
 
diff --git a/src/helsinki.at/rhimport/rddb.go b/src/helsinki.at/rhimport/rddb.go
index 514abdf..7466d9c 100644
--- a/src/helsinki.at/rhimport/rddb.go
+++ b/src/helsinki.at/rhimport/rddb.go
@@ -177,6 +177,33 @@ func (self *RdDb) getPassword(username string, cached bool) (result getPasswordR
 	return
 }
 
+func (self *RdDbChan) CheckPassword(username, password string) (result bool, err error) {
+	cached := true
+
+	for {
+		res_ch := make(chan getPasswordResult)
+		req := getPasswordRequest{}
+		req.username = username
+		req.cached = cached
+		req.response = res_ch
+		self.getPasswordChan <- req
+
+		res := <-res_ch
+		if res.err != nil {
+			return false, res.err
+		}
+		if password == res.password {
+			return true, nil
+		}
+		if cached {
+			cached = false
+		} else {
+			break
+		}
+	}
+	return false, nil
+}
+
 func (self *RdDb) getGroupOfCart(cart uint) (result getGroupOfCartResult) {
 	var rows *sql.Rows
 	if rows, result.err = self.getGroupOfCartStmt.Query(cart, cart); result.err != nil {
diff --git a/src/helsinki.at/rhimport/session_store.go b/src/helsinki.at/rhimport/session_store.go
index 2aabc44..e065182 100644
--- a/src/helsinki.at/rhimport/session_store.go
+++ b/src/helsinki.at/rhimport/session_store.go
@@ -79,7 +79,15 @@ type SessionStore struct {
 }
 
 func (self *SessionStore) new(ctx *ImportContext) (resp newSessionResponse) {
-	// TODO: for untrusted interfaces we need to check Username and PassWord!!!!
+	if !ctx.Trusted {
+		if ok, err := ctx.rddb.CheckPassword(ctx.UserName, ctx.Password); err != nil {
+			resp.err = err
+			return
+		} else if !ok {
+			resp.err = fmt.Errorf("invalid username and/or password")
+			return
+		}
+	}
 	b := uuid.NewV4().Bytes()
 	resp.id = strings.ToLower(strings.TrimRight(base32.StdEncoding.EncodeToString(b), "="))
 	if _, exists := self.store[ctx.UserName]; !exists {
-- 
cgit v0.10.2