Enha: input check; hash passwords

2026-02-20 09:15:14 +03:00
parent f61de5645d
commit 83d4f88eb5
4 changed files with 136 additions and 4 deletions
--- a/handlers/auth.go
+++ b/handlers/auth.go
@@ -2,8 +2,10 @@ package handlers

 import (
 	"crypto/hmac"
+	"crypto/md5"
 	"crypto/sha256"
 	"encoding/base64"
+	"encoding/hex"
 	"fmt"
 	"gralias/models"
 	"gralias/utils"
@@ -65,7 +67,7 @@ func HandleFrontLogin(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	username := r.PostFormValue("username")
-	if username == "" {
+	if username == "" || !utils.IsInputSane(username) {
 		msg := "username not provided"
 		log.Error(msg)
 		abortWithError(w, msg)
@@ -77,6 +79,9 @@ func HandleFrontLogin(w http.ResponseWriter, r *http.Request) {
 	// make sure username does not exists
 	cleanName := utils.RemoveSpacesFromStr(username)
 	clearPass := utils.RemoveSpacesFromStr(password)
+	// hash the password with md5
+	hash := md5.Sum([]byte(clearPass))
+	hashedPass := hex.EncodeToString(hash[:])
 	// check if that user was already in db
 	userstate, err := repo.PlayerGetByName(r.Context(), cleanName)
 	if err != nil || userstate == nil {
@@ -84,8 +89,8 @@ func HandleFrontLogin(w http.ResponseWriter, r *http.Request) {
 		userstate = models.InitPlayer(cleanName)
 		makeplayer = true
 	} else {
-		if userstate.Password != clearPass {
-			log.Error("wrong password", "username", cleanName, "password", clearPass)
+		if userstate.Password != hashedPass {
+			log.Error("wrong password", "username", cleanName)
 			abortWithError(w, "wrong password")
 			return
 		}
@@ -126,7 +131,7 @@ func HandleFrontLogin(w http.ResponseWriter, r *http.Request) {
 		}
 		// save state to cache
 		if makeplayer {
-			userstate.Password = clearPass
+			userstate.Password = hashedPass
 			if err := repo.PlayerAdd(r.Context(), userstate); err != nil {
 				log.Error("failed to save state", "error", err)
 				abortWithError(w, err.Error())