gophish/auth/auth.go

package auth

import (
	"errors"
	"net/http"

	ctx "github.com/gophish/gophish/context"
	"github.com/gophish/gophish/models"
	"golang.org/x/crypto/bcrypt"
)

// ErrInvalidPassword is thrown when a user provides an incorrect password.
var ErrInvalidPassword = errors.New("Invalid Password")

// ErrPasswordMismatch is thrown when a user provides a blank password to the register
// or change password functions
var ErrPasswordMismatch = errors.New("Password cannot be blank")

// ErrEmptyPassword is thrown when a user provides a blank password to the register
// or change password functions
var ErrEmptyPassword = errors.New("No password provided")

// Login attempts to login the user given a request.
func Login(r *http.Request) (bool, models.User, error) {
	username, password := r.FormValue("username"), r.FormValue("password")
	u, err := models.GetUserByUsername(username)
	if err != nil {
		return false, models.User{}, err
	}
	//If we've made it here, we should have a valid user stored in u
	//Let's check the password
	err = bcrypt.CompareHashAndPassword([]byte(u.Hash), []byte(password))
	if err != nil {
		return false, models.User{}, ErrInvalidPassword
	}
	return true, u, nil
}

// ChangePassword verifies the current password provided in the request and,
// if it's valid, changes the password for the authenticated user.
func ChangePassword(r *http.Request) error {
	u := ctx.Get(r, "user").(models.User)
	currentPw := r.FormValue("current_password")
	newPassword := r.FormValue("new_password")
	confirmPassword := r.FormValue("confirm_new_password")
	// Check the current password
	err := bcrypt.CompareHashAndPassword([]byte(u.Hash), []byte(currentPw))
	if err != nil {
		return ErrInvalidPassword
	}
	// Check that the new password isn't blank
	if newPassword == "" {
		return ErrEmptyPassword
	}
	// Check that new passwords match
	if newPassword != confirmPassword {
		return ErrPasswordMismatch
	}
	// Generate the new hash
	h, err := bcrypt.GenerateFromPassword([]byte(newPassword), bcrypt.DefaultCost)
	if err != nil {
		return err
	}
	u.Hash = string(h)
	if err = models.PutUser(&u); err != nil {
		return err
	}
	return nil
}
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`package auth`

			`import (`
Implemented ChangePassword() (now password can be changed from /settings) A couple of UI fixes in tables 2014-02-10 19:02:44 +00:00			`"errors"`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`"net/http"`

Fixing context issues with Go 1.7. 2016-09-15 03:24:51 +00:00			`ctx "github.com/gophish/gophish/context"`
Fixing dependencies 2016-01-12 04:46:48 +00:00			`"github.com/gophish/gophish/models"`
Updated bcrypt dependency - fixes #63 2016-01-10 20:54:59 +00:00			`"golang.org/x/crypto/bcrypt"`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`)`

Added documentation for multiple endpoints. Fixes #54 2016-01-25 02:47:16 +00:00			`// ErrInvalidPassword is thrown when a user provides an incorrect password.`
Implemented ChangePassword() (now password can be changed from /settings) A couple of UI fixes in tables 2014-02-10 19:02:44 +00:00			`var ErrInvalidPassword = errors.New("Invalid Password")`

Implement User Management API (#1473) This implements the first pass for a user management API allowing users with the `ModifySystem` permission to create, modify, and delete users. In addition to this, any user is able to use the API to view or modify their own account information. 2019-05-31 18:58:18 +00:00			`// ErrPasswordMismatch is thrown when a user provides a blank password to the register`
Removing support for empty passwords - fixes #149 2016-02-13 22:37:12 +00:00			`// or change password functions`
Implement User Management API (#1473) This implements the first pass for a user management API allowing users with the `ModifySystem` permission to create, modify, and delete users. In addition to this, any user is able to use the API to view or modify their own account information. 2019-05-31 18:58:18 +00:00			`var ErrPasswordMismatch = errors.New("Password cannot be blank")`
Confirm password on registration or change Updated to confirm password when registering user or changing a user's password. Fixes #180 2016-03-02 13:30:46 +00:00
Implement User Management API (#1473) This implements the first pass for a user management API allowing users with the `ModifySystem` permission to create, modify, and delete users. In addition to this, any user is able to use the API to view or modify their own account information. 2019-05-31 18:58:18 +00:00			`// ErrEmptyPassword is thrown when a user provides a blank password to the register`
			`// or change password functions`
			`var ErrEmptyPassword = errors.New("No password provided")`
Fix to raise error when trying to register a duplicate username (#926) This corrects a minor error from recent changes in which registering an existing username didn't throw an error. 2018-01-13 22:35:58 +00:00
Implemented Registration Created auth.GenerateSecureKey to handle generating API Keys 2014-02-05 00:39:01 +00:00			`// Login attempts to login the user given a request.`
Fixing context issues with Go 1.7. 2016-09-15 03:24:51 +00:00			`func Login(r *http.Request) (bool, models.User, error) {`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`username, password := r.FormValue("username"), r.FormValue("password")`
Major refactoring - modularized models into separate files. Removed db package (moved to models) I will be looking to migrate to gorm (instead of gorp) soon! 2014-03-25 03:31:33 +00:00			`u, err := models.GetUserByUsername(username)`
Refactor GetUserByUsername method not to suppress an error (#920) Also adding some other tests for the User models. 2018-01-12 00:37:38 +00:00			`if err != nil {`
Fixing context issues with Go 1.7. 2016-09-15 03:24:51 +00:00			`return false, models.User{}, err`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`}`
			`//If we've made it here, we should have a valid user stored in u`
			`//Let's check the password`
Moved DB to root folder Created db package to handle DB connection/queries Removed Setup.go (now handled in db package) Setup context in middleware 2014-01-09 23:18:49 +00:00			`err = bcrypt.CompareHashAndPassword([]byte(u.Hash), []byte(password))`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`if err != nil {`
Fixing context issues with Go 1.7. 2016-09-15 03:24:51 +00:00			`return false, models.User{}, ErrInvalidPassword`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`}`
Fixing context issues with Go 1.7. 2016-09-15 03:24:51 +00:00			`return true, u, nil`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`}`

Fixed various minor linting issues 2018-12-16 03:38:51 +00:00			`// ChangePassword verifies the current password provided in the request and,`
			`// if it's valid, changes the password for the authenticated user.`
Implemented ChangePassword() (now password can be changed from /settings) A couple of UI fixes in tables 2014-02-10 19:02:44 +00:00			`func ChangePassword(r *http.Request) error {`
			`u := ctx.Get(r, "user").(models.User)`
Confirm password on registration or change Updated to confirm password when registering user or changing a user's password. Fixes #180 2016-03-02 13:30:46 +00:00			`currentPw := r.FormValue("current_password")`
Use more descriptive variable names in auth.go 2016-03-03 00:59:40 +00:00			`newPassword := r.FormValue("new_password")`
			`confirmPassword := r.FormValue("confirm_new_password")`
Cleaned up some errors Implemented using db.* helpers (ie GetUser) Implemented ChangePassword (not reachable from UI currently) Fixed angular issue in settings.html template 2014-02-06 16:49:53 +00:00			`// Check the current password`
Confirm password on registration or change Updated to confirm password when registering user or changing a user's password. Fixes #180 2016-03-02 13:30:46 +00:00			`err := bcrypt.CompareHashAndPassword([]byte(u.Hash), []byte(currentPw))`
Cleaned up some errors Implemented using db.* helpers (ie GetUser) Implemented ChangePassword (not reachable from UI currently) Fixed angular issue in settings.html template 2014-02-06 16:49:53 +00:00			`if err != nil {`
Implemented ChangePassword() (now password can be changed from /settings) A couple of UI fixes in tables 2014-02-10 19:02:44 +00:00			`return ErrInvalidPassword`
Cleaned up some errors Implemented using db.* helpers (ie GetUser) Implemented ChangePassword (not reachable from UI currently) Fixed angular issue in settings.html template 2014-02-06 16:49:53 +00:00			`}`
Removing support for empty passwords - fixes #149 2016-02-13 22:37:12 +00:00			`// Check that the new password isn't blank`
Use more descriptive variable names in auth.go 2016-03-03 00:59:40 +00:00			`if newPassword == "" {`
Removing support for empty passwords - fixes #149 2016-02-13 22:37:12 +00:00			`return ErrEmptyPassword`
			`}`
Confirm password on registration or change Updated to confirm password when registering user or changing a user's password. Fixes #180 2016-03-02 13:30:46 +00:00			`// Check that new passwords match`
Use more descriptive variable names in auth.go 2016-03-03 00:59:40 +00:00			`if newPassword != confirmPassword {`
Confirm password on registration or change Updated to confirm password when registering user or changing a user's password. Fixes #180 2016-03-02 13:30:46 +00:00			`return ErrPasswordMismatch`
			`}`
Removing support for empty passwords - fixes #149 2016-02-13 22:37:12 +00:00			`// Generate the new hash`
Use more descriptive variable names in auth.go 2016-03-03 00:59:40 +00:00			`h, err := bcrypt.GenerateFromPassword([]byte(newPassword), bcrypt.DefaultCost)`
Removing support for empty passwords - fixes #149 2016-02-13 22:37:12 +00:00			`if err != nil {`
			`return err`
			`}`
			`u.Hash = string(h)`
			`if err = models.PutUser(&u); err != nil {`
			`return err`
			`}`
			`return nil`
Cleaned up some errors Implemented using db.* helpers (ie GetUser) Implemented ChangePassword (not reachable from UI currently) Fixed angular issue in settings.html template 2014-02-06 16:49:53 +00:00			`}`