mirror of
https://github.com/steveiliop56/tinyauth.git
synced 2026-07-14 22:11:13 +00:00
fix: use constant time in user checks (#1004)
This commit is contained in:
@@ -708,7 +708,7 @@ func TestProxyController(t *testing.T) {
|
|||||||
Log: log,
|
Log: log,
|
||||||
})
|
})
|
||||||
|
|
||||||
authService := service.NewAuthService(service.AuthServiceInput{
|
authService, err := service.NewAuthService(service.AuthServiceInput{
|
||||||
Log: log,
|
Log: log,
|
||||||
Config: &cfg,
|
Config: &cfg,
|
||||||
Runtime: &runtime,
|
Runtime: &runtime,
|
||||||
@@ -721,6 +721,8 @@ func TestProxyController(t *testing.T) {
|
|||||||
PolicyEngine: policyEngine,
|
PolicyEngine: policyEngine,
|
||||||
})
|
})
|
||||||
|
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
for _, test := range tests {
|
for _, test := range tests {
|
||||||
t.Run(test.description, func(t *testing.T) {
|
t.Run(test.description, func(t *testing.T) {
|
||||||
router := gin.Default()
|
router := gin.Default()
|
||||||
|
|||||||
@@ -90,6 +90,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
|
|||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if errors.Is(err, service.ErrUserNotFound) {
|
if errors.Is(err, service.ErrUserNotFound) {
|
||||||
|
controller.auth.DummyPasswordCheck(req.Password)
|
||||||
controller.log.App.Warn().Str("username", req.Username).Msg("User not found during login attempt")
|
controller.log.App.Warn().Str("username", req.Username).Msg("User not found during login attempt")
|
||||||
controller.auth.RecordLoginAttempt(req.Username, false)
|
controller.auth.RecordLoginAttempt(req.Username, false)
|
||||||
controller.log.AuditLoginFailure(req.Username, "unknown", c.ClientIP(), "user not found")
|
controller.log.AuditLoginFailure(req.Username, "unknown", c.ClientIP(), "user not found")
|
||||||
|
|||||||
@@ -542,7 +542,8 @@ func TestUserController(t *testing.T) {
|
|||||||
Runtime: &runtime,
|
Runtime: &runtime,
|
||||||
Ctx: ctx,
|
Ctx: ctx,
|
||||||
})
|
})
|
||||||
authService := service.NewAuthService(service.AuthServiceInput{
|
|
||||||
|
authService, err := service.NewAuthService(service.AuthServiceInput{
|
||||||
Log: log,
|
Log: log,
|
||||||
Config: &cfg,
|
Config: &cfg,
|
||||||
Runtime: &runtime,
|
Runtime: &runtime,
|
||||||
@@ -555,6 +556,8 @@ func TestUserController(t *testing.T) {
|
|||||||
PolicyEngine: policyEngine,
|
PolicyEngine: policyEngine,
|
||||||
})
|
})
|
||||||
|
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
beforeEach := func() {
|
beforeEach := func() {
|
||||||
// Clear failed login attempts before each test
|
// Clear failed login attempts before each test
|
||||||
authService.ClearLoginAttempts()
|
authService.ClearLoginAttempts()
|
||||||
|
|||||||
@@ -2,6 +2,7 @@ package middleware
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net/http"
|
"net/http"
|
||||||
"strings"
|
"strings"
|
||||||
@@ -244,6 +245,9 @@ func (m *ContextMiddleware) basicAuth(username string, password string) (*model.
|
|||||||
search, err := m.auth.SearchUser(username)
|
search, err := m.auth.SearchUser(username)
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
if errors.Is(err, service.ErrUserNotFound) {
|
||||||
|
m.auth.DummyPasswordCheck(password)
|
||||||
|
}
|
||||||
return nil, nil, fmt.Errorf("error searching for user: %w", err)
|
return nil, nil, fmt.Errorf("error searching for user: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -264,7 +264,8 @@ func TestContextMiddleware(t *testing.T) {
|
|||||||
Runtime: &runtime,
|
Runtime: &runtime,
|
||||||
Ctx: ctx,
|
Ctx: ctx,
|
||||||
})
|
})
|
||||||
authService := service.NewAuthService(service.AuthServiceInput{
|
|
||||||
|
authService, err := service.NewAuthService(service.AuthServiceInput{
|
||||||
Log: log,
|
Log: log,
|
||||||
Config: &cfg,
|
Config: &cfg,
|
||||||
Runtime: &runtime,
|
Runtime: &runtime,
|
||||||
@@ -277,6 +278,8 @@ func TestContextMiddleware(t *testing.T) {
|
|||||||
PolicyEngine: policyEngine,
|
PolicyEngine: policyEngine,
|
||||||
})
|
})
|
||||||
|
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
contextMiddleware := NewContextMiddleware(ContextMiddlewareInput{
|
contextMiddleware := NewContextMiddleware(ContextMiddlewareInput{
|
||||||
Log: log,
|
Log: log,
|
||||||
RuntimeConfig: &runtime,
|
RuntimeConfig: &runtime,
|
||||||
|
|||||||
@@ -69,6 +69,8 @@ type AuthService struct {
|
|||||||
tailscale *TailscaleService
|
tailscale *TailscaleService
|
||||||
policyEngine *PolicyEngine
|
policyEngine *PolicyEngine
|
||||||
|
|
||||||
|
dummyHash string
|
||||||
|
|
||||||
lockdown struct {
|
lockdown struct {
|
||||||
active bool
|
active bool
|
||||||
until time.Time
|
until time.Time
|
||||||
@@ -101,7 +103,7 @@ type AuthServiceInput struct {
|
|||||||
PolicyEngine *PolicyEngine
|
PolicyEngine *PolicyEngine
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewAuthService(i AuthServiceInput) *AuthService {
|
func NewAuthService(i AuthServiceInput) (*AuthService, error) {
|
||||||
service := &AuthService{
|
service := &AuthService{
|
||||||
log: i.Log,
|
log: i.Log,
|
||||||
runtime: i.Runtime,
|
runtime: i.Runtime,
|
||||||
@@ -123,6 +125,15 @@ func NewAuthService(i AuthServiceInput) *AuthService {
|
|||||||
loginCacheSize = service.maxLoginLimits
|
loginCacheSize = service.maxLoginLimits
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// dummy hash
|
||||||
|
dummyHash, err := bcrypt.GenerateFromPassword([]byte(utils.GenerateString(8)), bcrypt.DefaultCost)
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to generate dummy hash: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
service.dummyHash = string(dummyHash)
|
||||||
|
|
||||||
// caches setup
|
// caches setup
|
||||||
oauthCache := NewCacheStore[OAuthPendingSession](256)
|
oauthCache := NewCacheStore[OAuthPendingSession](256)
|
||||||
loginCache := NewCacheStore[LoginAttempt](loginCacheSize)
|
loginCache := NewCacheStore[LoginAttempt](loginCacheSize)
|
||||||
@@ -148,7 +159,11 @@ func NewAuthService(i AuthServiceInput) *AuthService {
|
|||||||
}
|
}
|
||||||
}, ding.RingMinor)
|
}, ding.RingMinor)
|
||||||
|
|
||||||
return service
|
return service, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (auth *AuthService) DummyPasswordCheck(password string) {
|
||||||
|
bcrypt.CompareHashAndPassword([]byte(auth.dummyHash), []byte(password))
|
||||||
}
|
}
|
||||||
|
|
||||||
func (auth *AuthService) SearchUser(username string) (*model.UserSearch, error) {
|
func (auth *AuthService) SearchUser(username string) (*model.UserSearch, error) {
|
||||||
|
|||||||
Reference in New Issue
Block a user