From 62ebc38acc54335ed7c4b14551fae828efddc333 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sat, 26 Dec 2015 09:58:34 +0100 Subject: session store now checks password diff --git a/src/helsinki.at/rhimport/fetcher.go b/src/helsinki.at/rhimport/fetcher.go index acb6592..81072eb 100644 --- a/src/helsinki.at/rhimport/fetcher.go +++ b/src/helsinki.at/rhimport/fetcher.go @@ -247,31 +247,14 @@ func fetcher_init() { } func checkPassword(ctx *ImportContext, result *FetchResult) (err error) { - cached := true - - for { - res_ch := make(chan getPasswordResult) - req := getPasswordRequest{} - req.username = ctx.UserName - req.cached = cached - req.response = res_ch - ctx.rddb.getPasswordChan <- req - - res := <-res_ch - if res.err != nil { - return res.err - } - if ctx.Password == res.password { - return nil - } - if cached { - cached = false - } else { - break - } + ok := false + if ok, err = ctx.rddb.CheckPassword(ctx.UserName, ctx.Password); err != nil { + return + } + if !ok { + result.ResponseCode = http.StatusUnauthorized + result.ErrorString = "invalid username and/or password" } - result.ResponseCode = http.StatusUnauthorized - result.ErrorString = "invalid username and/or password" return } diff --git a/src/helsinki.at/rhimport/rddb.go b/src/helsinki.at/rhimport/rddb.go index 514abdf..7466d9c 100644 --- a/src/helsinki.at/rhimport/rddb.go +++ b/src/helsinki.at/rhimport/rddb.go @@ -177,6 +177,33 @@ func (self *RdDb) getPassword(username string, cached bool) (result getPasswordR return } +func (self *RdDbChan) CheckPassword(username, password string) (result bool, err error) { + cached := true + + for { + res_ch := make(chan getPasswordResult) + req := getPasswordRequest{} + req.username = username + req.cached = cached + req.response = res_ch + self.getPasswordChan <- req + + res := <-res_ch + if res.err != nil { + return false, res.err + } + if password == res.password { + return true, nil + } + if cached { + cached = false + } else { + break + } + } + return false, nil +} + func (self *RdDb) getGroupOfCart(cart uint) (result getGroupOfCartResult) { var rows *sql.Rows if rows, result.err = self.getGroupOfCartStmt.Query(cart, cart); result.err != nil { diff --git a/src/helsinki.at/rhimport/session_store.go b/src/helsinki.at/rhimport/session_store.go index 2aabc44..e065182 100644 --- a/src/helsinki.at/rhimport/session_store.go +++ b/src/helsinki.at/rhimport/session_store.go @@ -79,7 +79,15 @@ type SessionStore struct { } func (self *SessionStore) new(ctx *ImportContext) (resp newSessionResponse) { - // TODO: for untrusted interfaces we need to check Username and PassWord!!!! + if !ctx.Trusted { + if ok, err := ctx.rddb.CheckPassword(ctx.UserName, ctx.Password); err != nil { + resp.err = err + return + } else if !ok { + resp.err = fmt.Errorf("invalid username and/or password") + return + } + } b := uuid.NewV4().Bytes() resp.id = strings.ToLower(strings.TrimRight(base32.StdEncoding.EncodeToString(b), "=")) if _, exists := self.store[ctx.UserName]; !exists { -- cgit v0.10.2