From c9e1bf65fa145efd2ba1f74e8a1444b5ce6568ed Mon Sep 17 00:00:00 2001
From: efim <efim666@bk.ru>
Date: Sat, 18 Nov 2023 07:41:52 +0000
Subject: [PATCH] feat: passwords hashing

---
 go.mod               |  1 +
 go.sum               |  2 ++
 routes/login_page.go | 34 ++++++++++++++++++++++++++++------
 3 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/go.mod b/go.mod
index 4f5b2ce..9ca79f9 100644
--- a/go.mod
+++ b/go.mod
@@ -5,6 +5,7 @@ go 1.20
 require (
 	github.com/kr/pretty v0.3.1
 	github.com/redis/go-redis/v9 v9.2.1
+	golang.org/x/crypto v0.15.0
 )
 
 require (
diff --git a/go.sum b/go.sum
index bfcf2c8..447f822 100644
--- a/go.sum
+++ b/go.sum
@@ -14,3 +14,5 @@ github.com/redis/go-redis/v9 v9.2.1 h1:WlYJg71ODF0dVspZZCpYmoF1+U1Jjk9Rwd7pq6Qml
 github.com/redis/go-redis/v9 v9.2.1/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
 github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA=
+golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g=
diff --git a/routes/login_page.go b/routes/login_page.go
index 1585c3f..eb3048a 100644
--- a/routes/login_page.go
+++ b/routes/login_page.go
@@ -11,6 +11,8 @@ import (
 	"strconv"
 	"time"
 
+	"golang.org/x/crypto/bcrypt"
+
 	"sunshine.industries/some-automoderation/rooms"
 	"sunshine.industries/some-automoderation/sessions"
 )
@@ -125,14 +127,20 @@ func createRoomHandler(templateFs *embed.FS,
 			log.Printf("error, room name occupied %s", roomName)
 			return
 		}
+		personPassHash, err := hashPassword(r.PostFormValue("personalPassword"))
+		if err != nil {
+			log.Printf("error, room name occupied %s", roomName)
+			return
+		}
 		person := rooms.Person{
 			Id:           rooms.RandomPersonId(),
 			Name:         r.PostFormValue("personalName"),
-			PasswordHash: r.PostFormValue("personalPassword"), // TODO hash the password, not to store
+			PasswordHash: personPassHash,
 		}
+		roomPassHash, err := hashPassword(r.PostFormValue("roomPassword"))
 		newRoom := rooms.Room{
 			Name:         roomName,
-			PasswordHash: r.PostFormValue("roomPassword"), // TODO hash the password, not to store
+			PasswordHash: roomPassHash,
 			AdminIds:     []rooms.PersonId{person.Id},
 			Paricipants:  []rooms.PersonId{person.Id},
 			AllKnownPeople: map[rooms.PersonId]rooms.Person{
@@ -207,7 +215,7 @@ func joinRoomHandler(templateFs *embed.FS,
 		}
 
 		// b) check if room password OK
-		if room.PasswordHash != roomPass {
+		if !isPasswordCorrect(roomPass, room.PasswordHash) {
 			log.Printf("/login/join bad room pass for %+v", room)
 			w.WriteHeader(http.StatusForbidden)
 			// TODO render error to be put in error place
@@ -223,7 +231,7 @@ func joinRoomHandler(templateFs *embed.FS,
 		// c) check if such person exists,
 		// knownPerson, found :=
 		// check the password
-		if (person != rooms.Person{}) && person.PasswordHash != personPass {
+		if (person != rooms.Person{}) && !isPasswordCorrect(personPass, person.PasswordHash) {
 			log.Printf("/login/join bad person pass for %+s", person.Name)
 			w.WriteHeader(http.StatusForbidden)
 			// TODO render error to be put in error place
@@ -233,12 +241,13 @@ func joinRoomHandler(templateFs *embed.FS,
 		if (person == rooms.Person{}) {
 			log.Printf("/login/join room pass correct, new person joins")
 			// creating a new person with provided password hash
+			personPassHash, err := hashPassword(personPass) 
 			person = rooms.Person{
 				Name:         personName,
-				PasswordHash: personPass,
+				PasswordHash: personPassHash,
 				Id:           rooms.RandomPersonId(),
 			}
-			err := roomsM.Update(r.Context(), room.Name, func(fromRoom rooms.Room) (toRoom rooms.Room) {
+			err = roomsM.Update(r.Context(), room.Name, func(fromRoom rooms.Room) (toRoom rooms.Room) {
 				log.Printf("/login/join about to modify room %+v", fromRoom)
 				toRoom = fromRoom
 				toRoom.AllKnownPeople[person.Id] = person
@@ -330,3 +339,16 @@ func logoutRoute(sessionSM sessions.SessionManagement,
 		w.Header().Add("HX-Redirect", "/")
 	}
 }
+
+func isPasswordCorrect(password, hash string) bool {
+	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
+	return err == nil
+}
+
+func hashPassword(password string) (string, error) {
+	hashBytes, err := bcrypt.GenerateFromPassword([]byte(password), 0)
+	if err != nil {
+		return "", err
+	}
+	return string(hashBytes), nil
+}