From 4e8418292665953dbde512fe6820f8e8883e5f28 Mon Sep 17 00:00:00 2001 From: Balakrishnan Balasubramanian Date: Wed, 10 May 2023 20:57:38 -0400 Subject: [PATCH] Add bcrypt support for stats password --- go.mod | 9 ++++----- go.sum | 9 ++++++--- results/stats.go | 21 ++++++++++++++++++--- 3 files changed, 28 insertions(+), 11 deletions(-) diff --git a/go.mod b/go.mod index e4f2a67..500ab9b 100644 --- a/go.mod +++ b/go.mod @@ -1,4 +1,4 @@ -module github.com/librespeed/speedtest-go +module github.com/librespeed/speedtest go 1.25.0 @@ -14,6 +14,7 @@ require ( github.com/gorilla/securecookie v1.1.1 github.com/gorilla/sessions v1.2.1 github.com/lib/pq v1.10.4 + github.com/librespeed/speedtest-go v1.1.6 github.com/oklog/ulid/v2 v2.0.2 github.com/oschwald/maxminddb-golang v1.13.1 github.com/pires/go-proxyproto v0.6.1 @@ -21,6 +22,7 @@ require ( github.com/spf13/viper v1.10.1 github.com/umahmood/haversine v0.0.0-20151105152445-808ab04add26 go.etcd.io/bbolt v1.3.6 + golang.org/x/crypto v0.48.0 golang.org/x/image v0.0.0-20211028202545-6944b10bf410 modernc.org/sqlite v1.50.0 ) @@ -32,7 +34,6 @@ require ( github.com/golang-sql/sqlexp v0.1.0 // indirect github.com/google/uuid v1.6.0 // indirect github.com/hashicorp/hcl v1.0.0 // indirect - github.com/kr/pretty v0.2.0 // indirect github.com/magiconair/properties v1.8.5 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mitchellh/mapstructure v1.4.3 // indirect @@ -44,10 +45,8 @@ require ( github.com/spf13/jwalterweatherman v1.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/subosito/gotenv v1.2.0 // indirect - golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d // indirect golang.org/x/sys v0.42.0 // indirect - golang.org/x/text v0.3.7 // indirect - gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect + golang.org/x/text v0.34.0 // indirect gopkg.in/ini.v1 v1.66.2 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect modernc.org/libc v1.72.0 // indirect diff --git a/go.sum b/go.sum index da55bbb..7145caf 100644 --- a/go.sum +++ b/go.sum @@ -170,6 +170,8 @@ github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/lib/pq v1.10.4 h1:SO9z7FRPzA03QhHKJrH5BXA6HU1rS4V2nIVrrNC1iYk= github.com/lib/pq v1.10.4/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/librespeed/speedtest-go v1.1.6 h1:1ldWp9ep94agjHi7wNv3Dkqyl1TnzQYpYU60LmlOo8o= +github.com/librespeed/speedtest-go v1.1.6/go.mod h1:VEnMZZxR+2Vf9Q6VelZFiMnX+EZnNM+UUT4SEBHg58E= github.com/magiconair/properties v1.8.5 h1:b6kJs+EmPFMYGkow9GiUyCyOvIwYetYJ3fSaWak/Gls= github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= @@ -240,8 +242,9 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d h1:sK3txAijHtOK88l68nt020reeT1ZdKLIYetKl95FzVY= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts= +golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -382,8 +385,8 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk= +golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/results/stats.go b/results/stats.go index 2695236..bf68fc1 100644 --- a/results/stats.go +++ b/results/stats.go @@ -6,6 +6,7 @@ import ( "github.com/go-chi/render" log "github.com/sirupsen/logrus" + "golang.org/x/crypto/bcrypt" "github.com/gorilla/securecookie" "github.com/gorilla/sessions" @@ -21,8 +22,9 @@ type StatsData struct { } var ( - store *sessions.CookieStore - conf *config.Config + store *sessions.CookieStore + conf *config.Config + checkPassword func(password string) bool ) func statsInitialize(c *config.Config) { @@ -35,6 +37,19 @@ func statsInitialize(c *config.Config) { SameSite: http.SameSiteStrictMode, } conf = c + + // Check if StatsPassword is a valid bcrypt hash + if _, err := bcrypt.Cost([]byte(c.StatsPassword)); err == nil { + log.Println("statistics_password is valid bcrypt hash") + checkPassword = func(password string) bool { + return nil == bcrypt.CompareHashAndPassword([]byte(c.StatsPassword), []byte(password)) + } + + } else { + checkPassword = func(password string) bool { + return password == c.StatsPassword + } + } } func Stats(w http.ResponseWriter, r *http.Request) { @@ -96,7 +111,7 @@ func Stats(w http.ResponseWriter, r *http.Request) { if op == "login" { session, _ := store.Get(r, "logged") password := r.FormValue("password") - if password == conf.StatsPassword { + if checkPassword(password) { session.Values["authenticated"] = true session.Save(r, w) http.Redirect(w, r, conf.BaseURL+"/stats", http.StatusTemporaryRedirect)