gophish/auth/auth.go

package auth

import (
	"encoding/gob"
	"errors"
	"fmt"
	"io"
	"net/http"

	"crypto/rand"

	ctx "github.com/gorilla/context"
	"github.com/gorilla/securecookie"
	"github.com/gorilla/sessions"
	"github.com/jordan-wright/gophish/models"
	"golang.org/x/crypto/bcrypt"
)

//init registers the necessary models to be saved in the session later
func init() {
	gob.Register(&models.User{})
	gob.Register(&models.Flash{})
}

var Store = sessions.NewCookieStore(
	[]byte(securecookie.GenerateRandomKey(64)), //Signing key
	[]byte(securecookie.GenerateRandomKey(32)))

var ErrInvalidPassword = errors.New("Invalid Password")

// Login attempts to login the user given a request.
func Login(r *http.Request) (bool, error) {
	username, password := r.FormValue("username"), r.FormValue("password")
	session, _ := Store.Get(r, "gophish")
	u, err := models.GetUserByUsername(username)
	if err != nil && err != models.ErrUsernameTaken {
		return false, err
	}
	//If we've made it here, we should have a valid user stored in u
	//Let's check the password
	err = bcrypt.CompareHashAndPassword([]byte(u.Hash), []byte(password))
	if err != nil {
		ctx.Set(r, "user", nil)
		return false, ErrInvalidPassword
	}
	ctx.Set(r, "user", u)
	session.Values["id"] = u.Id
	return true, nil
}

// Register attempts to register the user given a request.
func Register(r *http.Request) (bool, error) {
	username, password := r.FormValue("username"), r.FormValue("password")
	u, err := models.GetUserByUsername(username)
	// If we have an error which is not simply indicating that no user was found, report it
	if err != nil {
		fmt.Println(err)
		return false, err
	}
	fmt.Println("Made it here!")
	u = models.User{}
	//If we've made it here, we should have a valid username given
	//Let's create the password hash
	h, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
	if err != nil {
		return false, err
	}
	u.Username = username
	u.Hash = string(h)
	u.ApiKey = GenerateSecureKey()
	err = models.PutUser(&u)
	return true, nil
}

func GenerateSecureKey() string {
	// Inspired from gorilla/securecookie
	k := make([]byte, 32)
	io.ReadFull(rand.Reader, k)
	return fmt.Sprintf("%x", k)
}

func ChangePassword(r *http.Request) error {
	u := ctx.Get(r, "user").(models.User)
	c, n := r.FormValue("current_password"), r.FormValue("new_password")
	// Check the current password
	err := bcrypt.CompareHashAndPassword([]byte(u.Hash), []byte(c))
	if err != nil {
		return ErrInvalidPassword
	} else {
		// Generate the new hash
		h, err := bcrypt.GenerateFromPassword([]byte(n), bcrypt.DefaultCost)
		if err != nil {
			return err
		}
		u.Hash = string(h)
		if err = models.PutUser(&u); err != nil {
			return err
		}
		return nil
	}
}
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`package auth`

			`import (`
Moved DB to root folder Created db package to handle DB connection/queries Removed Setup.go (now handled in db package) Setup context in middleware 2014-01-09 23:18:49 +00:00			`"encoding/gob"`
Implemented ChangePassword() (now password can be changed from /settings) A couple of UI fixes in tables 2014-02-10 19:02:44 +00:00			`"errors"`
Implemented Registration Created auth.GenerateSecureKey to handle generating API Keys 2014-02-05 00:39:01 +00:00			`"fmt"`
			`"io"`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`"net/http"`

Cleaned up comments for auth.go 2014-03-18 19:28:47 +00:00			`"crypto/rand"`
Registration works again. Additional cleanup, removing unused code 2015-02-07 23:30:22 +00:00
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`ctx "github.com/gorilla/context"`
			`"github.com/gorilla/securecookie"`
			`"github.com/gorilla/sessions"`
			`"github.com/jordan-wright/gophish/models"`
Updated bcrypt dependency - fixes #63 2016-01-10 20:54:59 +00:00			`"golang.org/x/crypto/bcrypt"`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`)`

Moved DB to root folder Created db package to handle DB connection/queries Removed Setup.go (now handled in db package) Setup context in middleware 2014-01-09 23:18:49 +00:00			`//init registers the necessary models to be saved in the session later`
			`func init() {`
			`gob.Register(&models.User{})`
Added ability to reset API token Cleaned up session flash handling 2014-02-02 20:47:06 +00:00			`gob.Register(&models.Flash{})`
Moved DB to root folder Created db package to handle DB connection/queries Removed Setup.go (now handled in db package) Setup context in middleware 2014-01-09 23:18:49 +00:00			`}`

Cleaned API even more (everything is via HandlerFunc) Sessions are now encrypted as well as signed. 2014-01-11 04:37:42 +00:00			`var Store = sessions.NewCookieStore(`
			`[]byte(securecookie.GenerateRandomKey(64)), //Signing key`
Renamed CheckLogin to Login Changed encryption cookie to be 32 bytes (64 bytes not supported) 2014-01-11 06:10:52 +00:00			`[]byte(securecookie.GenerateRandomKey(32)))`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00
Implemented ChangePassword() (now password can be changed from /settings) A couple of UI fixes in tables 2014-02-10 19:02:44 +00:00			`var ErrInvalidPassword = errors.New("Invalid Password")`

Implemented Registration Created auth.GenerateSecureKey to handle generating API Keys 2014-02-05 00:39:01 +00:00			`// Login attempts to login the user given a request.`
Renamed CheckLogin to Login Changed encryption cookie to be 32 bytes (64 bytes not supported) 2014-01-11 06:10:52 +00:00			`func Login(r *http.Request) (bool, error) {`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`username, password := r.FormValue("username"), r.FormValue("password")`
			`session, _ := Store.Get(r, "gophish")`
Major refactoring - modularized models into separate files. Removed db package (moved to models) I will be looking to migrate to gorm (instead of gorp) soon! 2014-03-25 03:31:33 +00:00			`u, err := models.GetUserByUsername(username)`
Working on gorm integration TODO: [ ] Finish up groups (many-to-many with group_targets) [ ] Convert Template models 2014-03-26 04:53:51 +00:00			`if err != nil && err != models.ErrUsernameTaken {`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`return false, err`
			`}`
			`//If we've made it here, we should have a valid user stored in u`
			`//Let's check the password`
Moved DB to root folder Created db package to handle DB connection/queries Removed Setup.go (now handled in db package) Setup context in middleware 2014-01-09 23:18:49 +00:00			`err = bcrypt.CompareHashAndPassword([]byte(u.Hash), []byte(password))`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`if err != nil {`
Moved DB to root folder Created db package to handle DB connection/queries Removed Setup.go (now handled in db package) Setup context in middleware 2014-01-09 23:18:49 +00:00			`ctx.Set(r, "user", nil)`
A couple more auth.go cleanups 2014-03-18 19:35:02 +00:00			`return false, ErrInvalidPassword`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`}`
Moved DB to root folder Created db package to handle DB connection/queries Removed Setup.go (now handled in db package) Setup context in middleware 2014-01-09 23:18:49 +00:00			`ctx.Set(r, "user", u)`
			`session.Values["id"] = u.Id`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`return true, nil`
			`}`

Implemented Registration Created auth.GenerateSecureKey to handle generating API Keys 2014-02-05 00:39:01 +00:00			`// Register attempts to register the user given a request.`
			`func Register(r *http.Request) (bool, error) {`
			`username, password := r.FormValue("username"), r.FormValue("password")`
Major refactoring - modularized models into separate files. Removed db package (moved to models) I will be looking to migrate to gorm (instead of gorp) soon! 2014-03-25 03:31:33 +00:00			`u, err := models.GetUserByUsername(username)`
Implemented ChangePassword() (now password can be changed from /settings) A couple of UI fixes in tables 2014-02-10 19:02:44 +00:00			`// If we have an error which is not simply indicating that no user was found, report it`
Registration works again. Additional cleanup, removing unused code 2015-02-07 23:30:22 +00:00			`if err != nil {`
			`fmt.Println(err)`
Cleaned up some errors Implemented using db.* helpers (ie GetUser) Implemented ChangePassword (not reachable from UI currently) Fixed angular issue in settings.html template 2014-02-06 16:49:53 +00:00			`return false, err`
Implemented Registration Created auth.GenerateSecureKey to handle generating API Keys 2014-02-05 00:39:01 +00:00			`}`
Registration works again. Additional cleanup, removing unused code 2015-02-07 23:30:22 +00:00			`fmt.Println("Made it here!")`
			`u = models.User{}`
Implemented Registration Created auth.GenerateSecureKey to handle generating API Keys 2014-02-05 00:39:01 +00:00			`//If we've made it here, we should have a valid username given`
			`//Let's create the password hash`
			`h, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)`
			`if err != nil {`
			`return false, err`
			`}`
Registration works again. Additional cleanup, removing unused code 2015-02-07 23:30:22 +00:00			`u.Username = username`
			`u.Hash = string(h)`
			`u.ApiKey = GenerateSecureKey()`
			`err = models.PutUser(&u)`
Implemented Registration Created auth.GenerateSecureKey to handle generating API Keys 2014-02-05 00:39:01 +00:00			`return true, nil`
			`}`

			`func GenerateSecureKey() string {`
			`// Inspired from gorilla/securecookie`
			`k := make([]byte, 32)`
			`io.ReadFull(rand.Reader, k)`
			`return fmt.Sprintf("%x", k)`
			`}`
Cleaned up some errors Implemented using db.* helpers (ie GetUser) Implemented ChangePassword (not reachable from UI currently) Fixed angular issue in settings.html template 2014-02-06 16:49:53 +00:00
Implemented ChangePassword() (now password can be changed from /settings) A couple of UI fixes in tables 2014-02-10 19:02:44 +00:00			`func ChangePassword(r *http.Request) error {`
			`u := ctx.Get(r, "user").(models.User)`
			`c, n := r.FormValue("current_password"), r.FormValue("new_password")`
Cleaned up some errors Implemented using db.* helpers (ie GetUser) Implemented ChangePassword (not reachable from UI currently) Fixed angular issue in settings.html template 2014-02-06 16:49:53 +00:00			`// Check the current password`
			`err := bcrypt.CompareHashAndPassword([]byte(u.Hash), []byte(c))`
			`if err != nil {`
Implemented ChangePassword() (now password can be changed from /settings) A couple of UI fixes in tables 2014-02-10 19:02:44 +00:00			`return ErrInvalidPassword`
Cleaned up some errors Implemented using db.* helpers (ie GetUser) Implemented ChangePassword (not reachable from UI currently) Fixed angular issue in settings.html template 2014-02-06 16:49:53 +00:00			`} else {`
			`// Generate the new hash`
			`h, err := bcrypt.GenerateFromPassword([]byte(n), bcrypt.DefaultCost)`
			`if err != nil {`
Implemented ChangePassword() (now password can be changed from /settings) A couple of UI fixes in tables 2014-02-10 19:02:44 +00:00			`return err`
Cleaned up some errors Implemented using db.* helpers (ie GetUser) Implemented ChangePassword (not reachable from UI currently) Fixed angular issue in settings.html template 2014-02-06 16:49:53 +00:00			`}`
			`u.Hash = string(h)`
Major refactoring - modularized models into separate files. Removed db package (moved to models) I will be looking to migrate to gorm (instead of gorp) soon! 2014-03-25 03:31:33 +00:00			`if err = models.PutUser(&u); err != nil {`
Implemented ChangePassword() (now password can be changed from /settings) A couple of UI fixes in tables 2014-02-10 19:02:44 +00:00			`return err`
Cleaned up some errors Implemented using db.* helpers (ie GetUser) Implemented ChangePassword (not reachable from UI currently) Fixed angular issue in settings.html template 2014-02-06 16:49:53 +00:00			`}`
Implemented ChangePassword() (now password can be changed from /settings) A couple of UI fixes in tables 2014-02-10 19:02:44 +00:00			`return nil`
Cleaned up some errors Implemented using db.* helpers (ie GetUser) Implemented ChangePassword (not reachable from UI currently) Fixed angular issue in settings.html template 2014-02-06 16:49:53 +00:00			`}`
			`}`