Adds bcrypt for token hashing

4 files changed, 26 insertions, 12 deletions

diff --git a/go.mod b/go.mod
index 3aba2c6..363e8e0 100644
--- a/go.mod
+++ b/go.mod
@@ -1,5 +1,9 @@
 module box
 
-go 1.23
+go 1.23.0
 
-require github.com/google/uuid v1.6.0 // indirect
+toolchain go1.24.1
+
+require github.com/google/uuid v1.6.0
+
+require golang.org/x/crypto v0.36.0 // indirect
diff --git a/go.sum b/go.sum
new file mode 100644
index 0000000..8a06334
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,4 @@
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
diff --git a/main.go b/main.go
index b9bf651..2223a4c 100644
--- a/main.go
+++ b/main.go
@@ -16,6 +16,7 @@ import (
 	"io/fs"
 
 	"github.com/google/uuid"
+	"golang.org/x/crypto/bcrypt"
 )
 
 //go:embed templates
@@ -27,17 +28,17 @@ var favicon []byte
 
 type BoxHandler struct {
 	filesPath string
-	token string
+	token []byte
 	deleteEnabled bool
 	index bool
 }
 
-func serve(w http.ResponseWriter, token string, views ...string) {
+func serve(w http.ResponseWriter, token []byte, views ...string) {
 	t, err := template.New("index.html").ParseFS(tmplFS, views...)
 	if err != nil {
 		log.Fatal(err)
 	}
-	if err := t.Execute(w, token); err != nil {
+	if err := t.Execute(w, token != nil); err != nil {
 		log.Fatal(err)
 	}
 }
@@ -79,7 +80,7 @@ func (handler BoxHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 		token := r.Header.Get("X-Token")
-		if token != handler.token {
+		if bcrypt.CompareHashAndPassword(handler.token, []byte(token)) != nil {
 			log.Println("unauthorized")
 			w.WriteHeader(http.StatusUnauthorized)
 			return
@@ -101,7 +102,7 @@ func (handler BoxHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 		token := r.Header.Get("X-Token")
-		if token != handler.token {
+		if bcrypt.CompareHashAndPassword(handler.token, []byte(token)) != nil {
 			log.Println("unauthorized")
 			w.WriteHeader(http.StatusUnauthorized)
 			return
@@ -143,14 +144,19 @@ func main() {
 	index := flag.Bool("i", false, "Enable displaying the resource folder index")
 	flag.Parse()
 
-	token := ""
+	var token []byte = nil
 	if *isToken {
-		token = os.Getenv("BOX_TOKEN")
-		if token == "" {
+		tok := os.Getenv("BOX_TOKEN")
+		if tok == "" {
 			fmt.Print("Token: ")
 			sc := bufio.NewScanner(os.Stdin)
 			sc.Scan()
-			token = sc.Text()
+			tok = sc.Text()
+		}
+		var err error = nil
+		token, err = bcrypt.GenerateFromPassword([]byte(tok), bcrypt.DefaultCost)
+		if err != nil {
+			panic(err)
 		}
 	}
 
diff --git a/templates/index.html b/templates/index.html
index 0bf6019..8bb0e38 100644
--- a/templates/index.html
+++ b/templates/index.html
@@ -66,7 +66,7 @@ This ID can then be used to get the file by sending a GET request to /[resourceI
 
 If enabled on the server, the resource can be deleted by sending a DELETE request to /[resourceID].
 Again if a token has been set on the server, use a X-Token header when sending the request.</pre>
-		{{ if ne . "" }}
+		{{ if . }}
 			<input type="text" id="token" placeholder="token"/>
 		{{end}}
 		<input type="file" id="file"/><br/><br/>