From de3e46bd1a5d602c23c9a6beedcd70e13fb83ed0 Mon Sep 17 00:00:00 2001 From: Yongfeng LI Date: Mon, 15 Jan 2018 11:05:17 +0800 Subject: [PATCH] return hashed secret afted creating accesstoken check will requie id and the hashed secret --- blockchain/accesstoken/accesstoken.go | 20 ++++++-------------- blockchain/accesstoken/accesstoken_test.go | 10 ++-------- net/http/authn/authn.go | 14 +++----------- 3 files changed, 11 insertions(+), 33 deletions(-) diff --git a/blockchain/accesstoken/accesstoken.go b/blockchain/accesstoken/accesstoken.go index e2b00f3c..9929c6fe 100644 --- a/blockchain/accesstoken/accesstoken.go +++ b/blockchain/accesstoken/accesstoken.go @@ -72,13 +72,12 @@ func (cs *CredentialStore) Create(ctx context.Context, id, typ string) (*string, hashedSecret := make([]byte, tokenSize) sha3pool.Sum256(hashedSecret, secret) - created := time.Now() token := &Token{ ID: id, Token: fmt.Sprintf("%s:%x", id, hashedSecret), Type: typ, - Created: created, + Created: time.Now(), } value, err := json.Marshal(token) @@ -86,34 +85,27 @@ func (cs *CredentialStore) Create(ctx context.Context, id, typ string) (*string, return nil, err } cs.DB.Set(key, value) - hexsec := fmt.Sprintf("%s:%x", id, secret) - return &hexsec, nil + + return &token.Token, nil } // Check returns whether or not an id-secret pair is a valid access token. -func (cs *CredentialStore) Check(ctx context.Context, id string, secret []byte) (bool, error) { +func (cs *CredentialStore) Check(ctx context.Context, id string, secret string) (bool, error) { if !validIDRegexp.MatchString(id) { return false, errors.WithDetailf(ErrBadID, "invalid id %q", id) } - var toHash [tokenSize]byte - var hashed [tokenSize]byte - copy(toHash[:], secret) - sha3pool.Sum256(hashed[:], toHash[:]) - inToken := fmt.Sprintf("%s:%x", id, hashed[:]) - var value []byte token := &Token{} - key := []byte(id) - if value = cs.DB.Get(key); value == nil { + if value = cs.DB.Get([]byte(id)); value == nil { return false, errors.WithDetailf(ErrNoMatchID, "check id %q nonexisting", id) } if err := json.Unmarshal(value, token); err != nil { return false, err } - if strings.Compare(token.Token, inToken) == 0 { + if strings.Compare(strings.Split(token.Token, ":")[1], secret) == 0 { return true, nil } diff --git a/blockchain/accesstoken/accesstoken_test.go b/blockchain/accesstoken/accesstoken_test.go index 4592cb6e..7dc770f5 100644 --- a/blockchain/accesstoken/accesstoken_test.go +++ b/blockchain/accesstoken/accesstoken_test.go @@ -2,7 +2,6 @@ package accesstoken import ( "context" - "encoding/hex" "os" "strings" "testing" @@ -73,13 +72,8 @@ func TestCheck(t *testing.T) { token := mustCreateToken(ctx, t, cs, "x", "client") tokenParts := strings.Split(*token, ":") - tokenID := tokenParts[0] - tokenSecret, err := hex.DecodeString(tokenParts[1]) - if err != nil { - t.Fatal("bad token secret") - } - valid, err := cs.Check(ctx, tokenID, tokenSecret) + valid, err := cs.Check(ctx, tokenParts[0], tokenParts[1]) if err != nil { t.Fatal(err) } @@ -87,7 +81,7 @@ func TestCheck(t *testing.T) { t.Fatal("expected token and secret to be valid") } - valid, err = cs.Check(ctx, "x", []byte("badsecret")) + valid, err = cs.Check(ctx, "x", "badsecret") if err != nil { t.Fatal(err) } diff --git a/net/http/authn/authn.go b/net/http/authn/authn.go index 2bda7759..0a6d9e62 100644 --- a/net/http/authn/authn.go +++ b/net/http/authn/authn.go @@ -128,26 +128,18 @@ func (a *API) tokenAuthn(req *http.Request) (string, error) { return user, a.cachedTokenAuthnCheck(req.Context(), user, pw) } -func (a *API) tokenAuthnCheck(ctx context.Context, user, pw string) (bool, error) { - pwBytes, err := hex.DecodeString(pw) - if err != nil { - return false, nil - } - return a.tokens.Check(ctx, user, pwBytes) -} - func (a *API) cachedTokenAuthnCheck(ctx context.Context, user, pw string) error { a.tokenMu.Lock() - res, ok := a.tokenMap[user+pw] + res, ok := a.tokenMap[user + pw] a.tokenMu.Unlock() if !ok || time.Now().After(res.lastLookup.Add(tokenExpiry)) { - valid, err := a.tokenAuthnCheck(ctx, user, pw) + valid, err := a.tokens.Check(ctx, user, pw) if err != nil { return errors.Wrap(err) } res = tokenResult{valid: valid, lastLookup: time.Now()} a.tokenMu.Lock() - a.tokenMap[user+pw] = res + a.tokenMap[user + pw] = res a.tokenMu.Unlock() } if !res.valid { -- 2.11.0